Aten Security · Trust & Compliance
Security is the product,
not the pitch.
We built a governance product for regulated industries. That means our own security posture has to be auditable, verifiable, and explainable. It's the same standard we hold your AI agents to.
Compliance & certifications
Every major framework. Runtime-enforced.
These are not documentation-only controls. Thoth policy packs enforce framework requirements as runtime decisions.
SOC 2 Type II
Annual third-party audit covering security, availability, and confidentiality controls.
ISO 42001
AI management system standard. The ISO framework built specifically for AI governance.
GDPR
Data subject rights, processing records, and controller/processor agreements in place.
CISA
Aligned with CISA Secure by Design principles and AI cybersecurity guidance.
HIPAA
BAA available. PHI handling controls, minimum-necessary enforcement built into policy packs.
EU AI Act
Automated WORM-compliant logging satisfies Article 12 record-keeping requirements.
AARM
Runtime implementer in the AARM Foundation Technical Working Group. Conformance review in progress.
NIST AI RMF
Human oversight gates, behavioral baselines, and risk measurement aligned to NIST AI RMF.
Architecture
Built for regulated environments.
Enterprise security requirements shaped the core architecture.
Hash-chained audit log
Every enforcement event is written to a WORM-compliant hash chain. Each record includes the previous record's hash, making insertion, deletion, or tampering cryptographically detectable.
Sub-100ms enforcement path
The local policy evaluation layer runs in <15ms. The MOSES fast-ML tier clears 85% of traffic in <100ms. No action is held pending a network round-trip to an external service.
Fail-closed enforcement path
If the enforcer path is unavailable, enforcement returns BLOCK by default to prevent unsafe execution. For staged rollouts, shadow mode remains non-blocking and lets teams observe behavior before enabling hard enforcement.
Customer-managed keys
All behavioral telemetry is encrypted at rest using AWS KMS CMKs. Each customer has their own key. We cannot read your agent data without your key.
Zero persistent agent credentials
The Thoth SDK instruments your agent's tool calls. It does not store credentials, API keys, or session tokens. Enforcement happens on the call metadata, not the underlying access.
Tenant isolation
Each enterprise customer runs in an isolated VPC with dedicated compute, storage, and KMS keys. There is no shared data plane between customers.
Data handling
We govern AI agents.
We hold ourselves to the same standard.
Thoth observes tool call metadata, not content. We never see the payload of a tool call, never store API credentials, and never retain PII from agent responses.
The WORM audit log stores only what's necessary to prove enforcement held: agent identity, tool name, timestamp, decision, and the behavioral score that drove it.
Responsible Disclosure
Found something? Tell us first.
We take security reports seriously and respond within 24 hours. We do not pursue legal action against good-faith security researchers.
security@atensecurity.com →Penetration Testing
Annual third-party pen tests.
Conducted by an independent firm on a rolling annual schedule. Results are reviewed by our advisory board and incorporated into the roadmap.
Trust Center →Questions?
We answer security questionnaires.
Send your vendor security questionnaire to security@atensecurity.com. We respond within 2 business days.
Visit Trust Center