Customer Database Security
The platform ensures secure connections through methods like SSH encryption, SSL/TLS transmission, and IP whitelisting to protect against man-in-the-middle attacks and unauthorized access. It accesses only read-only replicas of customer databases to prevent data modification and logs all database operations for full auditability and traceability.
Knowledge Base File Encryption
All files in the platform’s knowledge base are secured with AES-256 encryption during storage and transmission, ensuring confidentiality and integrity while preventing unauthorized access during security incidents.
Access Control
User permissions are assigned with specific roles like editor, viewer, and private user to ensure access is limited to authorized data and functionalities. This helps reduce the risk of privilege escalation and accidental misuse.
Multi-Tenant Data Isolation
The platform uses logical and physical isolation to ensure data from different users or organizations remains separate, preventing cross-tenant access or data leakage.
Data Backup and Recovery
Automated backups protect against data loss and corruption, while version history restoration allows for quick recovery, ensuring business continuity.
Usage Monitoring and Auditing
The platform uses monitoring tools like New Relic to track data access and operations, creating audit logs for quick identification and investigation of potential security threats.
Model Security Selection
eSapiens carefully chooses AI models known for security, stability, and enterprise-grade access control, such as those from OpenAI, Anthropic, and Cohere. Criteria include private deployment support, user isolation, audited security, and fine-tuning control. The platform avoids unverified open-source models to mitigate risks like data leakage and output poisoning.
Model Security Audits and Updates
Regular security audits are performed on model integration points, focusing on:
When vulnerabilities or policy changes are identified, the platform quickly updates model configurations, including prompt templates and context windows, to ensure a secure environment.
Prompt Management Security
The platform implements stringent prompt management controls, including:
Context Data Protection
In Retrieval-Augmented Generation (RAG) and conversations, the extended platform ensures:
Input and Output Content Security Controls
The platform uses content security gateways for AI model interactions by:
Strict Access Controls
Internal access follows the principle of least privilege, allowing personnel to access only the resources essential for their roles to reduce errors and insider threats.
Multi-Factor Authentication (MFA)
MFA is implemented for critical operations and admin accounts to prevent unauthorized access from credential compromise.
Security Audits and Oversight
Routine reviews of internal permissions and security policies ensure compliance and operational discipline.
API Security Enhancements (Nonce Mechanism)
Each call to AI model APIs includes a unique, single-use nonce to prevent replay attacks, ensuring intercepted requests cannot be maliciously reused and protecting interface integrity.
Security by Design
Security principles are embedded in the platform's development lifecycle (Secure Development Lifecycle - SDL), ensuring protection from the initial design stages to deployment.
Internal Security Training
Regular security awareness training is provided to all employees to reinforce responsibility and reduce risks arising from human error or internal threats.
Certified Cloud Hosting
The platform utilizes a certified AWS cloud environment. Elastic Cloud vector databases incorporate physical security, logical isolation, and encrypted transmission to safeguard data against unauthorized access during storage or transit.
Redundancy and High Availability
Critical platform components are architected for high availability and failover to ensure uninterrupted business operations and minimize risks from single points of failure.
Network Security Measures
Multi-layer firewalls and intrusion detection/prevention systems (IDS/IPS) are deployed to detect and block malicious traffic in real time, protecting the platform from network-based attacks.
Regular Security Updates and Patch Management
The security team proactively monitors vulnerability disclosures and applies timely platform updates and patches to close known security gaps.
Comprehensive Operation Logging
The platform logs key operational activities like database access, model invocation, and permission changes for auditing and incident investigation purposes.
Anomaly Detection and Alerts
Automated systems detect abnormal behaviors like suspicious logins or excessive requests, triggering alerts for quick responses.
Regulatory Compliance
The platform is designed and operated in compliance with relevant data protection laws and industry regulations (e.g., GDPR, CCPA), ensuring alignment of technical measures with legal requirements.
Access Review and Permission Governance
Permission changes require approval workflows and are tracked with full historical records, preventing privilege abuse and supporting internal governance.
For customers with existing SOC 2 certifications, we want to assure you that connecting a SOC 2-certified environment-whether Type I or Type II-to the eSapiens platform does not jeopardize your certification. eSapiens acts as a sub-service organization whose controls are fully aligned with the Trust Services Criteria (TSC); auditors can therefore rely on our environment via either the inclusive or carve-out method.
Key Controls That Preserve Certification
Encryption at every layer - Data in transit is secured with TLS 1.3+. All sensitive data at rest is encrypted using AES-256, with RSA-2048 employed for key wrapping where applicable. For data classified as confidential or personally identifiable information (PII), field-level encryption and strict role-based access controls provide additional safeguards.
Tenant isolation - Logical segregation prevents data co-mingling.
Least-privilege, time-boxed access - RBAC with just-in-time credentials and full audit trail.
Immutable audit logs - Every data access and administrative action is time-stamped and retained per your policy requirements.
Data-integrity safeguard - Source data is never altered unless explicitly instructed by the customer.
Regional residency controls - Data remains within the jurisdictions selected by the customer.
User Identity Verification
Mechanisms such as CAPTCHA are implemented to block automated attacks, spam registrations, and ensure a secure and trustworthy user environment.
Transparency of Security Practices
The platform openly communicates core security mechanisms and data protection practices to users, fostering trust and confidence.
User Access and Operation Visibility
Users can view logs of their access and operations, enhancing transparency and user control over their data.
Incident Response and Communication
Established procedures ensure prompt notification, handling, and mitigation of security incidents to minimize impact.
