Security & Compliance

1. The Zero Egress Promise

At AIPrunr, we believe that the best way to secure your data is not to touch it. Our architecture is fundamentally designed around "Zero Egress" and strict least-privilege principles.

AIPrunr runs entirely within your infrastructure (On-Premise or Private Cloud). Your credentials, cloud resource data, and financial insights never leave your network.

2. Data Handling & Residency

Because AIPrunr operates as a self-hosted appliance, you retain absolute sovereignty over your data.

Data Residency: All data stored by AIPrunr resides on the disk of the machine where you install it. We have no cloud database that mirrors your sensitive information.
Data Retention: You control the retention period. You can purge data at any time using the built-in "Data Purge" tools in the dashboard.
No Telemetry: The appliance does not send usage metrics, crash reports, or metadata to AIPrunr HQ.

3. Encryption Standards

We enforce industry-standard encryption for data at rest and in transit.

At Rest: If you use our encrypted credential storage, API keys are encrypted using AES-256-GCM before being written to the local database.
In Transit: The dashboard is served via HTTPS (with HSTS enabled). All calls to your cloud providers (AWS, Azure, GCP) use TLS 1.2+ encrypted channels.

4. IAM Read-Only Access Model

AIPrunr requires Read-Only permissions to function. We never ask for write or delete permissions on your cloud resources. This ensures that a compromised AIPrunr instance cannot disrupt your production services.

Sample AWS IAM Policy

Attach this policy to the IAM User or Role used by AIPrunr. It grants strictly read-only access to cost and usage data.

                    {
                    "Version": "2012-10-17",
                    "Statement": [
                    {
                    "Sid": "AIPrunrReadOps",
                    "Effect": "Allow",
                    "Action": [
                    "ce:GetCostAndUsage",
                    "ce:GetCostForecast",
                    "ec2:DescribeInstances",
                    "ec2:DescribeVolumes",
                    "ec2:DescribeSnapshots",
                    "ec2:DescribeAddresses",
                    "s3:ListAllMyBuckets",
                    "s3:GetBucketLocation",
                    "rds:DescribeDBInstances",
                    "rds:DescribeDBClusters"
                    ],
                    "Resource": "*"
                    }
                    ]
                    }
                

5. Security Review Simplified

We understand the rigor of corporate security procurement. To accelerate your internal approval process, we provide a pre-packaged **Security Pack** under NDA.

Enterprise Security Pack Includes:

SIG Lite Questionnaire: Pre-filled with forensic technical details.
ISO 27001 Roadmap: Detailed alignment for your ISMS audit.
SOC 2 Type II Gap Analysis: Transparent view of our security posture.
Reference Architecture: Deep-dive into VPC/NSG flow log ingestion.

Request Security Pack

6. Trust & Malware Defense

Because the AIPrunr appliance runs as a local binary/container in your network, we design the product to be transparent, auditable, and secure against malware flags:

Agentless Security: AIPrunr operates strictly out-of-band and never executes binary code or installs software on your production servers or virtual machines.
Zero Outbound Connectivity Required: You can run the AIPrunr appliance in a completely air-gapped, internet-disabled subnet. The appliance operates fully locally and does not require outbound internet access to perform its audit functions.
Vulnerability & Integrity Scanning: The container image and virtual appliance files are compiled cleanly and are open to inspection by package scanners (e.g., Snyk, Trivy, Aqua) prior to execution.

7. Vulnerability Management

We publish a Software Bill of Materials (SBOM) with every release. We patch critical CVEs within 48 hours of disclosure.