Security & Compliance

1. The Zero Egress Promise

At AIPrunr, we believe that the best way to secure your data is not to touch it. Our architecture is fundamentally designed around "Zero Egress" and strict least-privilege principles.

AIPrunr runs entirely within your infrastructure (On-Premise or Private Cloud). Your credentials, cloud resource data, and financial insights never leave your network.

2. Data Handling & Residency

Because AIPrunr operates as a self-hosted appliance, you retain absolute sovereignty over your data.

Data Residency: All data stored by AIPrunr resides on the disk of the machine where you install it. We have no cloud database that mirrors your sensitive information.
Data Retention: You control the retention period. You can purge data at any time using the built-in "Data Purge" tools in the dashboard.
No Telemetry: The appliance does not send usage metrics, crash reports, or metadata to AIPrunr HQ.

3. Encryption Standards

We enforce industry-standard encryption for data at rest and in transit.

At Rest: If you use our encrypted credential storage, API keys are encrypted using AES-256-GCM before being written to the local database.
In Transit: The dashboard is served via HTTPS (with HSTS enabled). All calls to your cloud providers (AWS, Azure, GCP) use TLS 1.2+ encrypted channels.

4. IAM Read-Only Access Model

AIPrunr requires Read-Only permissions to function. We never ask for write or delete permissions on your cloud resources. This ensures that a compromised AIPrunr instance cannot disrupt your production services.

Sample AWS IAM Policy

Attach this policy to the IAM User or Role used by AIPrunr. It grants strictly read-only access to cost and usage data.

                    {
                    "Version": "2012-10-17",
                    "Statement": [
                    {
                    "Sid": "AIPrunrReadOps",
                    "Effect": "Allow",
                    "Action": [
                    "ce:GetCostAndUsage",
                    "ce:GetCostForecast",
                    "ec2:DescribeInstances",
                    "ec2:DescribeVolumes",
                    "ec2:DescribeSnapshots",
                    "ec2:DescribeAddresses",
                    "s3:ListAllMyBuckets",
                    "s3:GetBucketLocation",
                    "rds:DescribeDBInstances",
                    "rds:DescribeDBClusters"
                    ],
                    "Resource": "*"
                    }
                    ]
                    }
                

5. Security Review Simplified

We understand the rigor of corporate security procurement. To accelerate your internal approval process, we provide a pre-packaged **Security Pack** under NDA.

Enterprise Security Pack Includes:

SIG Lite Questionnaire: Pre-filled with forensic technical details.
ISO 27001 Roadmap: Detailed alignment for your ISMS audit.
SOC 2 Type II Gap Analysis: Transparent view of our security posture.
Reference Architecture: Deep-dive into VPC/NSG flow log ingestion.

Request Security Pack

6. Vulnerability Management

We publish a Software Bill of Materials (SBOM) with every release. We patch critical CVEs within 48 hours of disclosure.