Aten Security · Trust & Compliance
Security is the product,
not the pitch.
We built a governance product for regulated industries. That means our own security posture has to be auditable, verifiable, and explainable — the same standard we hold your AI agents to.
Compliance & certifications
Every major framework. Runtime-enforced.
These aren't documentation exercises. Thoth's compliance packs enforce each framework's requirements as active runtime policy.
SOC 2 Type II
Annual third-party audit covering security, availability, and confidentiality controls.
ISO 42001
AI management system standard. The ISO framework built specifically for AI governance.
GDPR
Data subject rights, processing records, and controller/processor agreements in place.
CISA
Aligned with CISA Secure by Design principles and AI cybersecurity guidance.
HIPAA
BAA available. PHI handling controls, minimum-necessary enforcement built into policy packs.
EU AI Act
Automated WORM-compliant logging satisfies Article 12 record-keeping requirements.
AARM
Runtime implementer in the AARM Foundation Technical Working Group. Conformance review in progress.
NIST AI RMF
Human oversight gates, behavioral baselines, and risk measurement aligned to NIST AI RMF.
Architecture
Built for regulated environments.
Enterprise security requirements shaped every architectural decision from day one.
Hash-chained audit log
Every enforcement event is written to a WORM-compliant hash chain. Each record includes the previous record's hash — making insertion, deletion, or tampering cryptographically detectable.
Sub-100ms enforcement path
The local policy evaluation layer runs in <15ms. The MOSES fast-ML tier clears 85% of traffic in <100ms. No action is held pending a network round-trip to an external service.
Fail-open by design
If Thoth is unreachable, your agent runs unblocked. We never become a single point of failure in your production stack. Shadow mode means observation can't block your workloads.
Customer-managed keys
All behavioral telemetry is encrypted at rest using AWS KMS CMKs. Each customer has their own key — we cannot read your agent data without your key.
Zero persistent agent credentials
The Thoth SDK instruments your agent's tool calls. It does not store credentials, API keys, or session tokens. Enforcement happens on the call metadata — not the underlying access.
Tenant isolation
Each enterprise customer runs in an isolated VPC with dedicated compute, storage, and KMS keys. There is no shared data plane between customers.
Data handling
We govern AI agents.
We hold ourselves to the same standard.
Thoth observes tool call metadata — not content. We never see the payload of a tool call, never store API credentials, and never retain PII from agent responses.
The WORM audit log stores only what's necessary to prove enforcement held: agent identity, tool name, timestamp, decision, and the behavioral score that drove it.
Responsible Disclosure
Found something? Tell us first.
We take security reports seriously and respond within 24 hours. We don't pursue legal action against good-faith security researchers.
security@aten.security →Penetration Testing
Annual third-party pen tests.
Conducted by an independent firm on a rolling annual schedule. Results are reviewed by our advisory board and incorporated into the roadmap.
Trust Center →Questions?
We answer security questionnaires.
Send your vendor security questionnaire to security@aten.security. We respond within 2 business days.
Visit Trust Center