Security

End to end security embedded in all workflows

ISO 27001

SOC2

HIPAA

PCI

HITRUST

GDPR

Compliance & Certifications

Independently audited.
Continuously monitored.

ISO 27001

Type II

International standard for information security management systems

SOC 2

Type II

Annual independent audit across Security, Availability & Confidentiality

HIPAA

Compliant

BAA available. Required safeguards for health information in force

PCI DSS

Compliant

Validated controls for cardholder data environments

HITRUST

CSF Certified

Gold standard for healthcare data security and regulatory assurance

GDPR

Compliant

DPA, SCCs, and subprocessor transparency for EU data subjects

Audit reports and compliance documentation available via our Trust Center.

Audit reports and compliance documentation available via our Trust Center.

Request Trust Center Access

Features

Security

Data Protection

Features

Security as a standard

Identity & Access

SSO, FIDO2 phishing-resistant MFA, and SCIM-automated least-privilege provisioning.

PII Redaction

Names, card numbers, and SSNs automatically redacted before any AI processing.

Data Encryption

AES-256 at rest, TLS 1.2+ in transit, mTLS for all internal service communication.

Penetration Testing

Annual third-party pen test, full scope, following OWASP ASVS with source code access.

Secure SDLC

SAST, SCA, and secret scanning gating every pull request. Signed, immutable images.

Cloud Infrastructure

GCP private VPC, Terraform IaC with OPA policy gates, CSPM, and WAF protection.

Role-Based Access

Least-privilege RBAC with immutable audit logs and quarterly access reviews.

Business Continuity

Multi-zone failover, RTO <4h / RPO <1h, tested DR runbooks, 24/7 on-call.

AI Security & Governance

Purpose-built for
responsible AI.

01.

Zero data retention by AI sub-processors

Contractual prohibition on all third-party AI providers retaining, training on, or fine-tuning with customer data.

02.

Strict tenant isolation at inference

No cross-tenant context sharing. Every model invocation is scoped to a single customer environment.

03.

Governance aligned to NIST AI RMF

Formal AI risk assessments, model risk register, and continuous input/output anomaly monitoring.

04.

Compliance-ready explainability logs

Every AI-assisted decision is logged with full context, queryable for regulatory audits and legal discovery.

PII Redaction Engine

Names · Cards · SSNs · Addresses stripped

Ingest

01

PII Redaction Engine

Names · Cards · SSNs · Addresses stripped

Ingest

Tenant-Isolated Storage

AES-256 · GCP KMS · No cross-tenant access

Stored

03

Tenant-Isolated Storage

AES-256 · GCP KMS · No cross-tenant access

Stored

Encrypted Model Inference

Scoped per tenant · No shared model state

Processing

05

Encrypted Model Inference

Scoped per tenant · No shared model state

Processing

Output Monitoring

Real-time alerts · Drift detection

Monitored

07

Output Monitoring

Real-time alerts · Drift detection

Monitored

Explainability & Audit Log

Every decision logged · Compliance-queryable

Retained

07

Explainability & Audit Log

Every decision logged · Compliance-queryable

Retained

Data Protection

Your data, protected
at every layer.

Encryption at Rest

All datastores, backups, and object storage encrypted. Field-level encryption applied to PII and payment data before it reaches the database.

Algorithm

AES-256-GCM

Key Management

GCP KMS / Cloud HSM

Key Rotation

Automatic, scheduled

Field Encryption

PII · PCI · PHI

Encryption in Transit

Every connection — inbound, outbound, and service-to-service — is encrypted. Older TLS versions and weak ciphers are rejected at the perimeter.

External

TLS 1.2+ enforced

Internal (mTLS)

All microservices

HSTS

All public endpoints

Cert Management

Google-managed

Retention & Deletion

Customers configure retention periods per data class. On request or contract termination, data is cryptographically erased — not archived.

Deletion SLA

≤ 30 days

Method

Cryptographic erasure

Backups

Cross-region, encrypted

Subprocessors

Deletion obligations

Collect

PII redacted on ingest

Encrypt

AES-256 at rest

Store

Tenant-isolated

Monitor

Anomaly detection

Delete

Cryptographic erase

Enterprise Controls

Defense-in-depth
across every domain

IAM

Identity & Access Management

SAML 2.0 / OIDC SSO

FIDO2 / WebAuthn phishing-resistant MFA

SCIM automated provisioning / deprovisioning

Quarterly access reviews with audit sign-off

Zero standing privilege for production

SDLC

Secure Development Lifecycle

Threat modeling at design phase

Mandatory peer code review with security checklist

SAST + secret scan on every pull request

SCA with SBOM generation

Signed, immutable container images

Infra

Infrastructure & Cloud

GCP private VPC with service perimeter

Terraform + OPA policy-gated IaC

Cloud Security Posture Management (CSPM)

WAF + Cloud Armor DDoS protection

GCP KMS / Cloud HSM key management

VM

Vulnerability Management

Annual third-party pen test (full scope)

OWASP ASVS application security verification

Continuous DAST + external attack surface monitoring

CVE remediation: Critical <24h, High <7d

Responsible disclosure & bug bounty program

Ops

Operational Security

MDM + EDR on all corporate endpoints

Mandatory security training at onboarding + annually

24/7 security monitoring and alert triage

Risk-tiered third-party vendor assessments

Phishing simulation program

BCP/IR

Business Continuity & IR

RTO <4h / RPO <1h for Tier 1 services

Multi-zone GCP with automated failover

Daily cross-region backups with restore testing

Documented IR playbooks with 24/7 on-call

Customer breach notification within 72 hours

FAQ

Have questions?
Find answers

Any more questions?

Contact us

Is Level AI’s data center secure?

Our infrastructure runs on Google Cloud Platform. GCP maintains ISO 27001, SOC 2, and PCI DSS certifications. Our deployment uses private VPCs, VPC Service Controls, and continuous CSPM for drift detection.

Does Level AI perform regular penetration tests?

Yes. Annual full-scope pen tests by an independent third-party firm following OWASP ASVS. Source code access is provided for maximum depth. Summary reports available via Trust Center under NDA.

Is customer data used to train AI models?

No. Customer data is never used to train or fine-tune shared models. All AI sub-processors are contractually prohibited from using customer data for any training purpose.

What security policies does Level AI maintain?

Our policy library covers: Information Security, Data Classification, Data Retention & Disposal, Secure SDLC, Change Management, Cryptography & Key Management, Incident Response, Business Continuity, and Vendor Risk Management.

How is cloud and production access managed?

Production access requires SSO + FIDO2 hardware MFA. Direct server access is restricted to VPN + bastion host. All privileged operations are logged in an immutable audit trail. Access is auto-revoked on offboarding via SCIM.

Where can I access compliance documentation?

SOC 2 Type II reports, ISO 27001 certificates, HITRUST CSF certification, pen test summaries, and our subprocessor list are available via the Level AI Trust Center. Contact your account team or security@thelevel.ai to request access.

FAQ

Have questions?
Find answers

Any more questions?

Contact us

Is Level AI’s data center secure?

Our infrastructure runs on Google Cloud Platform. GCP maintains ISO 27001, SOC 2, and PCI DSS certifications. Our deployment uses private VPCs, VPC Service Controls, and continuous CSPM for drift detection.

Does Level AI perform regular penetration tests?

Yes. Annual full-scope pen tests by an independent third-party firm following OWASP ASVS. Source code access is provided for maximum depth. Summary reports available via Trust Center under NDA.

Is customer data used to train AI models?

No. Customer data is never used to train or fine-tune shared models. All AI sub-processors are contractually prohibited from using customer data for any training purpose.

What security policies does Level AI maintain?

Our policy library covers: Information Security, Data Classification, Data Retention & Disposal, Secure SDLC, Change Management, Cryptography & Key Management, Incident Response, Business Continuity, and Vendor Risk Management.

How is cloud and production access managed?

Production access requires SSO + FIDO2 hardware MFA. Direct server access is restricted to VPN + bastion host. All privileged operations are logged in an immutable audit trail. Access is auto-revoked on offboarding via SCIM.

Where can I access compliance documentation?

SOC 2 Type II reports, ISO 27001 certificates, HITRUST CSF certification, pen test summaries, and our subprocessor list are available via the Level AI Trust Center. Contact your account team or security@thelevel.ai to request access.

FAQ

Have questions?
Find answers

Is Level AI’s data center secure?

Our infrastructure runs on Google Cloud Platform. GCP maintains ISO 27001, SOC 2, and PCI DSS certifications. Our deployment uses private VPCs, VPC Service Controls, and continuous CSPM for drift detection.

Does Level AI perform regular penetration tests?

Yes. Annual full-scope pen tests by an independent third-party firm following OWASP ASVS. Source code access is provided for maximum depth. Summary reports available via Trust Center under NDA.

Is customer data used to train AI models?

No. Customer data is never used to train or fine-tune shared models. All AI sub-processors are contractually prohibited from using customer data for any training purpose.

What security policies does Level AI maintain?

Our policy library covers: Information Security, Data Classification, Data Retention & Disposal, Secure SDLC, Change Management, Cryptography & Key Management, Incident Response, Business Continuity, and Vendor Risk Management.

How is cloud and production access managed?

Production access requires SSO + FIDO2 hardware MFA. Direct server access is restricted to VPN + bastion host. All privileged operations are logged in an immutable audit trail. Access is auto-revoked on offboarding via SCIM.

Where can I access compliance documentation?

SOC 2 Type II reports, ISO 27001 certificates, HITRUST CSF certification, pen test summaries, and our subprocessor list are available via the Level AI Trust Center. Contact your account team or security@thelevel.ai to request access.