AI & Tech

Security and data privacy, designed for the regulated enterprise

Our clients include banks, insurers, healthcare payers, and federal contractors. Their security teams set the bar. We meet it — by design, not by exception.

Certifications & frameworks

The compliance evidence your security team will ask for

SOC 2 Type II

Annual independent audit of security, availability, and confidentiality controls.

ISO/IEC 27001:2022

Information Security Management System certified by an accredited registrar.

HIPAA

Business Associate Agreement-ready, with technical and administrative safeguards.

PCI DSS Level 1

Payment Card Industry Data Security Standard compliance for card-data adjacent work.

GDPR & CCPA

Privacy-by-design controls and documented data processor agreements.

FedRAMP Moderate (in process)

Authorization in process; expected completion mid-2026.

Audit reports and questionnaires are available under NDA. Contact security@apisonhooks.com.

Data principles

Four rules that govern every byte of customer data we touch

01

Customer data stays in customer environments

By default, our agents read and write only against your cloud, your VPC, your databases. Egress out of your environment is the exception, not the default — and requires explicit contractual permission.

02

Encryption at rest and in transit, no exceptions

AES-256 at rest, TLS 1.3 in transit. Customer-managed keys via KMS or equivalent are supported in every deployment. We never log unencrypted PII or PHI.

03

Least-privilege everywhere

Each agent operates under its own scoped credentials with the narrowest permissions required. No shared service accounts. No standing admin access. All sensitive operations gated through approval workflows.

04

Inputs and outputs are first-class data

Prompts, retrieval contexts, and model outputs are treated as customer data — encrypted, access-controlled, retention-policied, and excluded from any model training without explicit opt-in.

Incident response

Five steps, every time, no improvisation

1.

Detect

24/7 monitoring with anomaly detection on access patterns, decision distributions, and infrastructure health.

2.

Triage

On-call SRE confirms severity within 15 minutes of alert. Severity-1 issues get a named incident commander immediately.

3.

Notify

For confirmed incidents affecting customer data, we notify the customer security contact within 4 hours, ahead of any regulatory clock.

4.

Contain & remediate

Standard runbooks for the most common scenarios. Custom response for novel situations, with the customer in the loop.

5.

Post-mortem

Blameless post-mortem within 5 business days, shared with the customer in full. Root cause, contributing factors, and the remediation plan.

Responsible disclosure

We invite security researchers to find what we missed

We operate a private bug bounty program with a vetted community of security researchers and welcome responsible disclosures from anyone outside the program.

Email security@apisonhooks.com with details. We acknowledge within one business day, triage within five, and credit researchers in our security advisories.

PGP key fingerprint

9F2D 4A1B 88E5 7C3F 0B14 6D29 A4E7 5B82 FF11 3C04

Available at apisonhooks.com/pgp.asc

Want our security questionnaire?

We'll send our completed CAIQ, SIG, and SOC reports under NDA, usually within one business day.

Request Documents →