1. Our Security Commitment
Security is a foundational requirement of IntelliCorp AI, not an afterthought. We handle sensitive enterprise data — HR policies, employee queries, and organisational knowledge — and we take that responsibility seriously.
This page describes the technical and organisational measures we implement to protect your data. If you are a security researcher who has identified a potential vulnerability, please refer to our Responsible Disclosure section below.
2. Infrastructure Security
2.1 Cloud Infrastructure
IntelliCorp AI runs on enterprise-grade cloud infrastructure with the following protections:
- All services run within private virtual networks with strict inbound/outbound firewall rules
- Database servers are not exposed to the public internet; access is restricted to application servers via private networking
- Infrastructure is provisioned via code (IaC), ensuring consistent, auditable configurations
- Automated vulnerability scanning runs on all container images before deployment
2.2 Data Encryption
All data is encrypted both in transit and at rest:
In transit: All API traffic uses TLS 1.3. We enforce HTTPS-only access with HTTP Strict Transport Security (HSTS). Certificates are managed with automatic renewal.
At rest: Database volumes are encrypted using AES-256. Vector embeddings (pgvector) are stored alongside document content and are encrypted at the storage layer.
Backups: Database backups are encrypted with a separate key and stored in a geographically distinct location.
2.3 Network Security
- DDoS protection is active at the network edge
- Rate limiting is enforced at the API layer to prevent abuse and brute-force attacks
- All administrative access to production systems requires VPN and multi-factor authentication
- Outbound traffic to AI provider APIs is logged and monitored for anomalies
3. Application Security
3.1 Authentication
Password security: Passwords are hashed using bcrypt with a cost factor of 12. We never store passwords in plain text or reversible encrypted form.
JWT tokens: Session tokens are signed with HMAC-SHA256. Access tokens expire after 60 minutes. All tokens are invalidated on logout.
OTP verification: Registration and phone verification require a 6-digit time-limited OTP. OTPs expire after 10 minutes and are rate-limited (1 per minute per target). After 5 failed attempts, the OTP is invalidated.
Social OAuth: OAuth flows use the Authorization Code Grant. State parameters are validated to prevent CSRF attacks. We only accept OAuth logins from work email domains.
3.2 Authorisation & Multi-Tenancy
IntelliCorp AI enforces strict tenant isolation at every layer:
- Every API request validates the requesting user's role against the target tenant
- Database queries always include a tenant_id predicate — cross-tenant data access is structurally impossible
- Role hierarchy is enforced: employees cannot access HR dashboards; HR cannot access admin settings; admins cannot access superadmin functions
- All privilege escalation paths require the issuing authority (e.g., only org_admin can grant org_hr role)
3.3 Input Validation & Injection Prevention
- All API inputs are validated using Pydantic v2 schemas with strict type enforcement
- Database queries use SQLAlchemy ORM with parameterised statements — raw SQL is not used, eliminating SQL injection vectors
- File uploads are validated for type, size, and content before processing
- AI prompt inputs are scoped to the user's tenant context; cross-tenant prompt injection is architecturally prevented
3.4 Dependency Security
- Dependencies are pinned to specific versions and reviewed on every update
- Automated dependency vulnerability scanning runs on each pull request
- We follow a 30-day patching policy for critical CVEs and 90 days for high-severity issues
4. AI & Data Pipeline Security
Prompt isolation: Each AI request includes only the context relevant to the user's query and their tenant's knowledge base. No data from other tenants is ever included in a prompt.
No model training on your data: Under our enterprise agreements with OpenAI, Anthropic, and Google, your data is not used to train or fine-tune their models. API calls are subject to the providers' enterprise data processing terms.
RAG pipeline security: Document embeddings are stored per-tenant in isolated pgvector indices. Semantic search is scoped to the authenticated user's tenant. Retrieved document chunks are filtered before being included in AI context.
Token logging: We log token counts (not message content) for billing and analytics. Conversation content in analytics is aggregated and anonymised.
5. Organisational Security
Access controls: Production system access is limited to engineers with a documented business need. Access is reviewed quarterly.
Background checks: All IntelliCorp AI employees and contractors with access to production systems undergo background verification.
Security training: Team members complete annual security awareness training covering phishing, social engineering, and secure coding practices.
Incident response: We maintain a documented incident response plan. In the event of a confirmed data breach affecting your organisation, we will notify you within 72 hours in accordance with GDPR Article 33 requirements.
Vendor management: All sub-processors are assessed for security posture before onboarding and are contractually required to maintain appropriate safeguards.
6. Compliance & Certifications
GDPR: Our data processing practices are designed to comply with the General Data Protection Regulation. We offer Data Processing Agreements (DPAs) to enterprise customers on request.
SOC 2 Type II: SOC 2 Type II certification is on our 2026 roadmap. Enterprise customers can request our current security posture documentation.
Data residency: Data is currently processed and stored within cloud regions in Asia-Pacific. Enterprise customers with specific data residency requirements should contact us to discuss options.
Password standards: We follow NIST SP 800-63B guidelines for authentication assurance.
7. Responsible Disclosure
We welcome reports from security researchers who discover potential vulnerabilities in IntelliCorp AI. We commit to working with you in good faith to understand and address valid findings.
How to report:
Email: security@intellicorp.ai
Subject line: [SECURITY] Brief description of issue
PGP key: Available on request
Please include:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any proof-of-concept code or screenshots
Our commitments:
- Acknowledge receipt within 2 business days
- Provide an initial assessment within 7 business days
- Keep you updated on remediation progress
- Credit you in our acknowledgements (unless you prefer anonymity)
Scope — in scope:
- api.intellicorp.ai and all subdomains
- IntelliCorp AI web application (app.intellicorp.ai)
- Authentication and session management
- Multi-tenant data isolation
Out of scope:
- Denial of service attacks
- Social engineering of IntelliCorp AI staff
- Physical security
- Issues in third-party services we do not control
We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it (coordinated disclosure). We will not pursue legal action against researchers who act in good faith.
8. Security Contact
For security-related inquiries:
Security Team
Email: security@intellicorp.ai
Response SLA: 2 business days for reports, 24 hours for active incidents
For general questions about our security practices or to request a security questionnaire, contact us at security@intellicorp.ai.