AgentLocus stores producer data, NIPR submission history, and compliance evidence — the things a regulator might ask for. We treat the security model the way Operations and Compliance teams need us to.
AES-256 encryption at rest, TLS 1.3 in transit. Encrypted secrets management. Regular vulnerability scanning and dependency monitoring. Network access is segmented and least-privilege by default.
OAuth 2.0 / OIDC authentication via Keycloak. Role-based access control with carrier sub-roles for least-privilege access — Admin, Manager, and Report Viewer tiers enforced at the API layer. SSO/SAML and SCIM provisioning are on the roadmap.
Field-level entity change log captures who changed what and when. Batch job audit trail records every scheduled and on-demand process. Complete NIPR submission history with full request and response capture. Audit exports on demand.
SOC 2 Type I readiness in progress. Privacy-first data handling aligned with CCPA. US data residency. Subprocessor list available on request.
Production environment monitored for uptime and error rates. Documented incident response runbook. Backup and disaster recovery posture aligned with the data we hold.
Hosted on a major cloud provider with hardened production accounts. Network isolation between environments. Automated patch management. CI/CD with required reviews and signed releases.
We work with the procurement, compliance, and IT teams of every prospect. Standard security questionnaires (CAIQ, SIG-Lite), subprocessor disclosures, and architecture diagrams are available under NDA.
