Security & Compliance

1. The Zero Egress Promise

At AIPrunr, we believe that the best way to secure your data is not to touch it. Our architecture is fundamentally designed around "Zero Egress" and strict least-privilege principles.

AIPrunr runs entirely within your infrastructure (On-Premise or Private Cloud). Your credentials, cloud resource data, and financial insights never leave your network.

2. Data Handling & Residency

Because AIPrunr operates as a self-hosted appliance, you retain absolute sovereignty over your data.

Data Residency: All data stored by AIPrunr resides on the disk of the machine where you install it. We have no cloud database that mirrors your sensitive information.
Data Retention: You control the retention period. You can purge data at any time using the built-in "Data Purge" tools in the dashboard.
No Telemetry: The appliance does not send usage metrics, crash reports, or metadata to AIPrunr HQ.

3. Encryption Standards

We enforce industry-standard encryption for data at rest and in transit.

At Rest: If you use our encrypted credential storage, API keys are encrypted using AES-256-GCM before being written to the local database.
In Transit: The dashboard is served via HTTPS (with HSTS enabled). All calls to your cloud providers (AWS, Azure, GCP) use TLS 1.2+ encrypted channels.

4. IAM Read-Only Access Model

AIPrunr requires Read-Only permissions to function. We never ask for write or delete permissions on your cloud resources. This ensures that a compromised AIPrunr instance cannot disrupt your production services.

Sample AWS IAM Policy

Attach this policy to the IAM User or Role used by AIPrunr. It grants strictly read-only access to cost and usage data.

                    {
                    "Version": "2012-10-17",
                    "Statement": [
                    {
                    "Sid": "AIPrunrReadOps",
                    "Effect": "Allow",
                    "Action": [
                    "ce:GetCostAndUsage",
                    "ce:GetCostForecast",
                    "ec2:DescribeInstances",
                    "ec2:DescribeVolumes",
                    "ec2:DescribeSnapshots",
                    "ec2:DescribeAddresses",
                    "s3:ListAllMyBuckets",
                    "s3:GetBucketLocation",
                    "rds:DescribeDBInstances",
                    "rds:DescribeDBClusters"
                    ],
                    "Resource": "*"
                    }
                    ]
                    }
                

5. Compliance Verification

Since AIPrunr is installed in your environment, it inherits your existing compliance controls (SOC2, HIPAA, GDPR).

Audit Logging: All access to the AIPrunr dashboard is logged locally.
Network Isolation: You can (and should) deploy AIPrunr in a private subnet with no internet ingress.

6. Vulnerability Management

We publish a Software Bill of Materials (SBOM) with every release. We patch critical CVEs within 48 hours of disclosure.