Trust — AI Control Plane
Last updated: 2026-05-10. Applies to controller.intelxview.com.
This page summarises how IntelXview operates the AI Control Plane ("ACP") securely. It complements the Privacy Notice and is intended for enterprise buyers evaluating ACP for their organisation.
Security posture in one page
- Identity: Keycloak OIDC with JWKS-validated RS256 tokens; custom email-OTP MFA authenticator mandatory for all management-plane and OrgAdmin roles.
- Authorisation: OPA policy-as-code with default-deny; explicit approval workflow for sensitive actions; approver must differ from requester (enforced in code).
- Tenant isolation: three independent layers — strict membership check at the API, OPA policy gates, and PostgreSQL Row-Level Security on all tenant-scoped tables.
- Secrets: HashiCorp Vault with AppRole authentication, TLS with CA pinning, persistent audit device.
- LLM request handling: PII scrubber runs before any upstream call; no raw prompt or response content is retained — only SHA-256 hashes and operational metadata, for 30 days.
- Change management: PR flow with required status checks (OpenAPI, OPA tests, PDP regression, backend compile, frontend build, supply-chain audit); semver-tagged CD; SECURITY_CHANGELOG entry required for security-relevant changes; branch protection evidence is published for reviewer diligence.
- Observability: Prometheus metrics; severity-routed Alertmanager pipeline with deadman's-switch heartbeat; per-alert runbooks deep-linked from rule definitions.
- Recovery: RTO 4h / RPO 24h. DR runbooks for Postgres, Vault, Keycloak. Annual DR exercise calendar.
Compliance programme
IntelXview is running a continuous SOC 2 readiness programme. As of 2026-05-10 the internal gap assessment scored ~94 % readiness across Trust Services Criteria for Security, Confidentiality, Privacy, and Processing Integrity (Availability is out of scope for this pass). No criterion is currently scored Gap.
Full readiness detail is available under NDA: we can share the internal gap register and the executive summary PDF. This page is not a SOC 2 report. A formal SOC 2 engagement will be undertaken by a licensed CPA firm once remaining readiness items close.
Data handling at a glance
| Class | Example | Retention | TLS | At rest |
|---|---|---|---|---|
| Restricted (raw prompts / responses) | Customer LLM content | Not retained | Yes | — |
| Restricted (secrets) | API keys, tokens | Until rotated | Yes | Vault |
| Confidential (customer identity) | Email, tenant ID | Closure + 30 d | Yes | Yes |
| Confidential (audit events) | Authorisation decisions | 7 years | Yes | Yes |
| Confidential (LLM audit meta) | Hashes, provider, latency | 30 days | Yes | Yes |
| Operational telemetry | Metrics, traces | 15 days | Yes | Yes |
Subprocessors
- DigitalOcean — hosting, Kubernetes, managed PostgreSQL
- GitHub — source hosting and CI/CD
- Stripe — billing and payment processing
- Google Workspace — transactional email
- OpenAI — LLM completion provider (when routed)
- Anthropic — LLM completion provider (when routed)
- DeepSeek — LLM completion provider (when routed) — flagged: prompts transit CN infrastructure; formal DPA pending. Tenant admins can opt out by contacting [email protected].
- Cloudflare — Workers AI LLM backend
Material changes to the subprocessor list are notified to tenant admins at least 15 days in advance.
Reporting a vulnerability
Please send responsible-disclosure reports to [email protected]. We operate a published vulnerability-disclosure policy with defined SLAs (acknowledgement within 3 business days; full assessment within 7 business days). Researchers acting in good faith within the terms of the policy will not be pursued legally.
Asking for more
Enterprise buyers, procurement, technical deep dives (threat model, SBOM, pen-test evidence when available), and customer audits under your own framework: email [email protected]. We share under NDA.
What you won't find here
Detailed architectural diagrams that would aid an attacker, specific IP addresses or internal hostnames, or live secrets. That level of detail is shared under NDA or via an audit agreement.
This page is maintained in docs/compliance/customer-facing/trust-overview.md in the ACP repository. Change log is in version control.