Security · Compliance · Trust
Built for the Room Where Your CISO Asks the Hard Questions.
Security is not a checkbox we tick after the demo. Our compliance posture is documented, independently audited, and available to your legal and security team before they need to ask.
Compliance Certifications
SOC 2 Type II Active
Annual third-party audit covering security, availability, and confidentiality. Reports available under NDA.
GDPR Compliant
Data Processing Agreements (DPAs) available. EU personal data stays in EU-region infrastructure by default.
HIPAA BAA Available
Business Associate Agreements signed upon request. PHI is isolated, encrypted, and access-logged.
CCPA Compliant
California consumer rights fully honored. PII deletion workflows documented and executed within 30 days.
Infrastructure Security
Hosting & Data Residency
- All agent infrastructure runs in your own cloud accounts (AWS, GCP, or Azure) — not on The Extreme AI servers.
- In self-hosted deployments, zero client data transits The Extreme AI infrastructure.
- Regional isolation: EU clients on EU-West infrastructure, US clients on US-East or US-West. Data residency is documented in each Statement of Work.
- Managed hosting option available with dedicated tenant isolation (no shared compute or storage).
Encryption
- At rest: AES-256 encryption on all stored data, including database records, vector embeddings, and file attachments.
- In transit: TLS 1.3 enforced on all API and agent communication endpoints. Older TLS versions rejected.
- Key management: Encryption keys managed via AWS KMS or GCP Cloud KMS. Client-managed keys (BYOK) available on Enterprise tier.
- Secrets: API keys and credentials stored in Vault or cloud-native secret managers. Never in environment variables or source code.
Network Security
- VPC isolation for all agent workloads. Private subnets with no public internet ingress by default.
- Web Application Firewall (WAF) on all external endpoints. DDoS protection via cloud-provider shield services.
- IP allowlisting available for all client-facing APIs and dashboards.
- Egress filtering: agents can only reach pre-approved external endpoints defined in the engagement scope.
Agent Runtime Security
Access Controls
- Per-role, per-source, per-action policy engine. Agents have the minimum permissions required for their task — never full-account access.
- OAuth 2.0 and scoped API credentials for every third-party integration. Token rotation enforced every 90 days.
- Human-in-the-loop controls: any action class can be configured to require human approval before execution.
- Dry-run mode: all agents can be run in read-only simulation before live deployment.
Audit Logging
- Every agent action — tool calls, data retrievals, external API requests, outputs — is logged with full context.
- Logs are hash-chained and tamper-evident. Log integrity can be independently verified.
- Log retention: 90 days by default, configurable up to 7 years for regulated industries.
- Logs exported to your SIEM (Splunk, Datadog, CloudWatch) in real-time if required.
Data Handling in Agents
- PII is automatically identified and masked in agent logs using pattern recognition and NLP classification.
- Agents do not retain data between sessions unless explicitly configured for a specific use case.
- AI model providers (Anthropic, OpenAI) are configured with zero data retention on inference — your data is not used to train foundation models.
- Data minimization: agents access only the records required for the task in scope, enforced by query-level filtering.
Organizational Security
Employee Access
- No The Extreme AI employee has standing access to client systems or data. All access is temporary, scoped, and requires client-initiated authorization.
- Multi-factor authentication required for all internal systems and any client environment access.
- Background checks completed for all engineers before client access is granted.
- Annual security training required for all personnel. Phishing simulations run quarterly.
Vendor Management
- All subprocessors are assessed against our security requirements before engagement.
- Vendor contracts include data processing obligations consistent with this policy.
- Subprocessor list maintained and updated. Clients notified of new subprocessors with 30 days' notice.
Penetration Testing
- Annual penetration tests conducted by independent third-party security firms.
- Critical findings remediated within 48 hours. High findings within 14 days.
- Pen test executive summaries available to clients under NDA.
- Clients may conduct their own penetration tests of deployed agent infrastructure with 14 days' notice.
Incident Response
We maintain a dedicated security incident response program with defined severity levels and response SLAs:
- P0 (Critical): Active breach or data loss — response within 15 minutes, client notification within 1 hour.
- P1 (High): Potential exposure or service degradation — response within 1 hour, client notification within 4 hours.
- P2 (Medium): Anomalous activity — response within 4 hours, status update within 24 hours.
- Full post-mortems published within 72 hours of resolution for P0/P1 incidents.
- Incidents affecting personal data reported to relevant authorities within 72 hours as required by GDPR.
Live status and historical incident log: status.theextremeai.com
Vulnerability Disclosure
We maintain a responsible disclosure program. If you discover a security vulnerability, please report it to info@theextremeai.com. We will acknowledge receipt within 24 hours, investigate, and keep you informed of our remediation timeline. We do not pursue legal action against researchers acting in good faith.
Request Security Documentation
SOC 2 Type II reports, penetration test executive summaries, security questionnaire responses (SIG Lite, CAIQ), and completed vendor assessment forms are available under NDA.
Email us to request → Subject: "Security documentation request"