Security

Engineered into the reasoning substrate.

Compliance is engineered into the agent's reasoning substrate, not bolted on at the application layer. Every output from a Digital Employee is auditable and traceable to its underlying reasoning. Eve-Grid is the Azure-native cloud substrate that hosts every ArthurAI edition; it is custom-engineered for compound-AI workloads, not a generic Azure deployment.

Six pillars

  • Encryption

    TLS 1.2+ in transit. AES-256 at rest. Customer-managed keys available for institutional deployments where required by procurement. Key rotation on a documented cadence; key material never embedded in code or configuration.

  • Identity and access

    Microsoft Entra ID for institutional federation. Role-based access control aligned to the institution’s role taxonomy (student, teacher, faculty, administrator, etc.). Just-in-time elevation for privileged operations; standing administrator access is not the norm.

  • Audit logging

    Every output from a Digital Employee is auditable and traceable to its underlying reasoning. Audit logs include actor identity, timestamp, action, and the artifact produced. Logs are tamper-evident and retained per the institution’s contracted retention period.

  • Network isolation

    Eve-Grid™ deploys customer workloads behind Azure Front Door Premium with WAF, in private VNets with private endpoints for Key Vault, Cosmos DB, and Function App ingress. Public network access to data planes is disabled by default in production.

  • Vulnerability management

    Continuous dependency scanning. Security patches applied within commercially reasonable timelines for high-severity advisories. Penetration testing on a documented cadence; results provided under NDA to institutional buyers on request.

  • Subprocessor governance

    Subprocessors are limited to Microsoft Azure (infrastructure substrate), Microsoft Clarity (consent-gated analytics, marketing site only), and the frontier model providers we compose into Eve-Education™ F5/reasoner. Subprocessor list disclosed at onboarding and updated under change-control.

Incident response

Eve-Education, LLC maintains a documented incident-response procedure with named on-call rotation, severity classification, and contractual notification timelines. For deployments under a Data Processing Agreement, breach notification is initiated within 72 hours of confirmed unauthorized access to personal data, as required by Article 33 GDPR and analogous state laws. Institutional buyers receive the IR runbook and tabletop-exercise summary under NDA at onboarding.

SOC 2 readiness

ArthurAI Corporate Learning Edition ships with a SOC 2 Type 2 readiness posture: control narratives, evidence-collection automation, and a defined audit window. Type 2 attestation timing is announced when the audit window completes and the report is finalized. Institutional buyers may request the current readiness summary under NDA.

For full Trust Center detail and procurement-grade documentation, see also our data handling policy and disclosures.