Security at Erdo

Our platform is built with layered safeguards across encryption, network isolation, and access controls.

Your Data is Encrypted

Data Encryption

Your data is encrypted in transit and at rest, with per-tenant key isolation.

AES-256 at rest: Your data is encrypted with AES-256 before it is written to disk.
Per-tenant key isolation: Each organization and dataset has its own key. A compromise in one tenant can't unlock another's data.

Secure Code Execution Sandbox

Analysis code runs inside a sandbox — an isolated, one-shot environment with no host access and no persistent state.

Kernel-level isolation: A kernel-level sandbox intercepts every system call, so untrusted code can never reach the host.
One-shot, ephemeral environments: A fresh sandbox per execution, destroyed when done. Nothing carries over.
Non-root, capability-dropped: Sandboxes run unprivileged — no root, no privilege escalation, no Linux capabilities.
Network egress restricted: Sandboxes cannot reach internal services or cloud metadata endpoints.
Enforced resource limits: CPU, memory, runtime, output, and upload counts are capped. Runaway workloads are terminated.
Path traversal defences: Input paths are validated against a strict blocklist. Only an ephemeral workdir is writable.

Network Isolation

Production compute has no public IPs, and the code execution environment is separated from the rest of the platform.

Isolated code execution environment: The code execution environment runs in its own VPC. The only path between it and the main application is through authenticated APIs.
Private compute: Production compute has no public IPs. Inbound traffic reaches only authenticated endpoints.

Authentication & Access Control

Scoped tokens and layered RBAC control access to your data.

Scoped, revocable tokens: API tokens carry resource-level scopes and can be revoked immediately.
Layered role-based access control: Requests are checked against authorizers for users, organizations, projects, datasets, and integrations.
Encrypted integration credentials: OAuth tokens and API keys are encrypted with per-dataset keys and refreshed through the upstream provider.
SSO supported: Single sign-on is supported for Enterprise customers — contact us to enable it.

Infrastructure Security

Hardened, managed cloud infrastructure with continuous patching and least-privilege IAM.

Hardened compute: Workloads run on shielded, hardened nodes with integrity monitoring and automated security patching.
Federated identity: Services authenticate through federated identity. No long-lived credentials are stored on nodes.
Continuous posture scanning: Workloads and container images are continuously scanned for known vulnerabilities and misconfigurations.
Least-privilege IAM: Service accounts hold only the roles they need. No blanket project-level access.
Managed database with point-in-time recovery: Automated backups and point-in-time recovery on a managed database service.

Change Management & Release Integrity

Changes to application and infrastructure code are reviewed, tracked, and reproducible.

Version-controlled infrastructure: Production infrastructure is defined as code. Changes are reviewed and tracked in git; environments are rebuilt from that code, never hand-tuned.
Signed container images: Container images for our code execution environment are cryptographically signed at build time and verified before deploy.

Logging & Audit Trail

Requests, queries, and code executions are logged so we can reconstruct what happened, when, and on whose behalf.

Structured request logging: API calls are logged with full context for audit and incident review.
Query and execution audit: Queries and sandbox executions are logged with user context.
Distributed tracing: Requests are traced across services so we can follow the full path of any action.
Per-token usage tracking: API tokens record their last use, so stale ones are easy to find and revoke.
Security incident response: Production is monitored continuously with on-call alerting. If a security issue affects your data, we notify you.

Data Retention & Deletion

You control your data lifecycle. Retention and deletion follow the commitments in our privacy policy.

Customer-controlled deletion: Delete individual datasets, integrations, threads, and artifacts from the product at any time. Account deletion requests are honoured within 30 days per our privacy policy.
Complete dataset purge: Deleting a dataset is a hard delete — stored items, embeddings, analyses, and credentials are all removed.
Backup lifecycle: Deleted data clears from backups within the managed retention window.
Account-scoped conversation history: Conversations and AI interactions are stored only for the lifetime of your account.

Our team works under least-privilege access. Most employees never see customer data.

Minimal employee access: Employees only access systems required for their role.
Per-employee database credentials: Individual credentials ensure complete audit trails.
2FA enforced everywhere: Multi-factor authentication protects internal and third-party systems.

Formal attestations are in progress. The policies and commitments below are live today.

SOC 2 Type II: We're actively working on our SOC 2 Type II compliance.
HIPAA: We're actively working on our HIPAA compliance.
Privacy policy: See /privacy for details on data handling, sub-processors, and retention.
Terms of service: See /terms for commercial and usage obligations.
Responsible disclosure: Report security issues to [email protected]. We aim to acknowledge within one business day.

The basics you'd expect from any serious platform — we do these too.

TLS everywhere: TLS 1.2+ on every external endpoint and every service-to-service call.
Secrets in a managed vault: Production secrets live in a managed vault with IAM-controlled access.
Hashed API tokens: API tokens are stored as salted hashes; plaintext is shown once at creation.
Protected edge: The API is served through a managed global edge that absorbs attack traffic and keeps you connected.
Peer-reviewed code: Application and infrastructure changes are reviewed before merge and deployed through CI.
Per-token rate limiting: Per-token rate limits at the auth layer protect against brute-force and abuse.
OAuth state validation: OAuth flows validate single-use state parameters to prevent CSRF and replay.
Dependency scanning: Dependencies are checked for known vulnerabilities in CI.