Security that clearsthe CISO gate.
liracode.dev runs your AI on infrastructure you can audit. Sovereign data residency, tenant isolation enforced in architecture, signed DPAs and BAAs, and a public roadmap to SOC 2 Type II. Trust earned through design — not promises.
The numbers behind
the trust boundary
Customer-managed keys mean even our own engineers cannot read your documents. Isolation is enforced by the system, not by policy — there is no privileged path around the trust boundary.
Defence from the
perimeter to the prompt
Six independent layers, each assuming the one before it is compromised. No single failure exposes customer data — the controls are designed to fail closed.
Data-centre isolation
Your disks and databases live in a certified facility with access control, video surveillance and redundant power. Physical custody stays with you.
Network defence
WAF, always-on DDoS protection and L3–L7 traffic filtering sit in front of origin. Application servers are never exposed to the public internet.
Zero Trust access
Every operator is verified by identity and device on every request. Nothing is trusted by default; least-privilege is the baseline, not the exception.
Encryption & keys
AES-256 at rest, TLS 1.3 in transit, and customer-managed keys. The encryption keys are yours — we operate the platform without ever holding them.
Tenant & data isolation
Per-tenant, per-user access levels. The vector store returns document chunks only after row-level permission checks against company and matter scope.
Audit & compliance
Every access to a document is recorded. A complete, tamper-evident audit chain is available for regulators and your own internal review.
Where your data goes —
and where it never does
Authenticated request
Traffic enters through the WAF and a hardened middleware proxy. Sessions are verified, rate-limited and fingerprinted before anything reaches the platform.
Tenant & role resolution
The query security filter resolves tenant ID, user role and subscription, scores risk and rewrites or blocks suspicious input — before retrieval ever runs.
Access-filtered vector search
Embeddings and document chunks stay on your physical disks. Row-level security applies tenant and permission filters so results never cross a customer boundary.
PII masking at the chunk level
Phone numbers, emails and document identifiers are detected and masked before any context is assembled for a model. Raw PII does not leave the boundary.
Models run inside your boundary
Open models run on GPUs in your region; closed APIs are reached over isolated egress with zero-retention terms. Prompts and outputs are never used for training.
Logged, budgeted, tamper-evident
Every request is rate-limited, token-budgeted and written to a signed audit trail — query ID, tokens used and a SHA-256 hash for regulator-grade traceability.
Residency is configurable, isolation is not. Choose the jurisdiction your data lives in — EU, Israel or on-premise — and it stays there. Cross-tenant access is impossible by construction, regardless of where you deploy.
Paper that matches
the architecture
Data Processing Agreement
GDPR Art. 28 · available on signatureA standard DPA defines us as your processor with binding obligations on residency, sub-processors, breach notification and your rights to audit.
- ✓ Documented sub-processor list with change notice
- ✓ EU Standard Contractual Clauses where applicable
- ✓ 72-hour breach notification commitment
- ✓ Data return and deletion on termination
Business Associate Agreement
HIPAA · for regulated healthcare dataFor workloads touching protected health information, a BAA establishes safeguards, breach handling and the permitted uses of PHI across the platform.
- ✓ Administrative, physical and technical safeguards
- ✓ Minimum-necessary access enforced per tenant
- ✓ Encryption of PHI at rest and in transit
- ✓ Audit logging of all PHI access
The road to
SOC 2 Type II
We treat certification as evidence, not theatre. Controls are live today; the formal attestation follows the audit window. Here is exactly where we are.
Access control, encryption, logging, change management and incident response are implemented and operating across the platform.
A gap analysis against the SOC 2 Trust Services Criteria mapped every control to evidence and remediated the gaps it surfaced.
The Type II observation period is running — collecting evidence that controls operate effectively over time, not just at a point in time.
An independent auditor issues the SOC 2 Type II report. ISO 27001 certification follows on the same control base.
Need the current readiness evidence ahead of the formal report? Enterprise customers under NDA can request the controls matrix, pen-test summary and architecture review today.
Bring this to your security team
We will walk your CISO, DPO and procurement through the architecture, the contracts and the roadmap — against your actual requirements, not a generic deck.