Tenant Isolation
yAI deploys per tenant inside your Azure or AWS environment. Data, embeddings, model traffic, and audit logs stay inside your perimeter.
Airtight security for firmwide execution.
Deployed inside your cloud, verified at the claim, and never trained on your data.
01 / Compliance
Designed to meet the security, privacy, and recordkeeping standards regulated firms run on, with documentation available on request.
02 / Data Security
No Training on Customer Data
yAI never trains on customer data. Each tenant runs against an isolated model endpoint. No shared corpus. No cross-tenant data flow.
End-to-End Encryption
Data is encrypted at rest with AES-256 and in transit with TLS 1.3. Keys live in your Azure Key Vault or AWS KMS. yAI never holds key material.
03 / Network Security
Network Segmentation
Private endpoints for storage, secrets, and database services. Network rules deny by default; only HTTPS and authenticated database traffic are allowed. On AWS, Bedrock calls route through VPC endpoints, so model traffic never hits the public internet.
Customer-Controlled Egress
Optional NAT Gateway gives each deployment a static outbound IP. Partners can allowlist your traffic for SFTP transfers, webhooks, and vendor APIs.
04 / Identity & Access
Zero-Trust Authentication
Workloads authenticate via Azure Managed Identity and AWS IAM federation. No static API keys in code. Secrets load from your Key Vault at deploy time.
Granular RBAC
Four roles enforced application-wide: User, Approver, Compliance Officer, and Admin. Approver scope is bound per tenant. Compliance Officer gets read-only visibility into audit and deletion workflows.
Four-Eyes Deletion
Deletions require two approvers. Requests move through pending, approved, rejected, and executed. Self-approval is blocked. Every transition lands in the audit trail with actor, timestamp, and notes.
ComputeApp Service · APIMFastAPI · Entra RBAC
ModelsClaude · GPT-5Bedrock · Azure OpenAI · Private link
DataPostgres · Cosmos · Neo4jEncrypted at rest
IdentityAzure Key VaultEntra MI · No shared keys
Audit trailPostgres events · WORM Blob · 7yr · SHA-256
05 / AI Verification
Claim-Level Verification
A post-processing layer checks every claim against the evidence in its cited passages. Each claim returns supported or unsupported, with reasoning and evidence.
Cited Outputs
Every claim ties back to the source passage that supports it. Citations are structured and exportable, so compliance can trace any output to the underlying document.
Model-Layer Guardrails
AWS Bedrock Guardrails run on every inference call. Content filters block hate, violence, misconduct, and prompt injection. Sensitive-data detection covers emails, phone numbers, SSNs, bank accounts, and credit cards.
06 / Recordkeeping & Audit
Immutable Audit Trail
Every prompt, retrieval, model response, and generated artifact lands in an immutable audit log. Timestamped, filterable, exportable for compliance review.
WORM Archival & 7-Year Retention
Built for SEC 17a-4 books-and-records. Audit events archive daily to write-once Blob storage, retained seven years by default. SHA-256 checksums provide tamper evidence.
07 / Operations
Reserved Capacity SLAs
Optional reserved Claude capacity per tenant. Sonnet, Haiku, and Opus throughput available on a one-month or six-month commit, keeping production latency off shared capacity.
08 / Subprocessors
Third parties that may process customer data on yAI's behalf, bound by data-processing agreements.
| Vendor | Purpose | Region |
|---|---|---|
| Anthropic | Model inference, served via Amazon Bedrock | Customer tenant region |
| OpenAI | Embeddings (text-embedding-3-large) | Customer tenant region |
| Microsoft Azure | Infrastructure host on Azure deployments | Customer-selected |
| Amazon Web Services | Infrastructure host on AWS deployments | Customer-selected |
All subprocessors are bound by data-processing agreements.
Built inside the firms.
yAI was built inside the firms it now serves. Every architectural decision begins with what compliance, IT, and legal will approve. Isolation, audit logging, and guardrails are present by construction.
10 / Documentation
Full security documentation is available under NDA. We embed on-site during onboarding to walk your security team through the deployment.
| Document | Description |
|---|---|
| Architecture diagrams | Tenant topology and data flow |
| Data flow and retention | What's stored where, retention windows, deletion paths |
| Control mappings | Internal controls aligned to your framework |
| DPA (Data Processing Agreement) | Standard contractual terms |