Security Brief

Version 1.0 • Last Updated: October 1, 2025

SOC 2 In ProgressGDPR CompliantISO 27001 Roadmap

Executive Summary

Valensys AI FinOps Control Plane is designed to optimize AI inference workloads while maintaining strict data governance, privacy, and compliance requirements.

TLS 1.3 Encryption

All data in transit

Ed25519 Signatures

Policy & ledger integrity

No Persistent Prompts

Transient processing only

Data Flow Architecture

Client SDK (Python/TS)
      ↓ HTTPS/TLS 1.3
      ↓ Headers: x-request-id, x-feature, x-team, x-residency
      ↓
Policy Gateway (Ingress)
  ├─ Authentication (HMAC/Bearer JWT)
  ├─ Policy Evaluation (Budget, Latency, Quality, Residency)
  ├─ PII Detection & Redaction
  └─ OpenTelemetry Trace Initiation
      ↓
      ├─→ Semantic Cache (pgvector) → PostgreSQL
      ├─→ Router Service → Upstream LLM Providers
      ├─→ Compliance Service → Evidence Packs
      └─→ Savings Ledger (Append-Only) → Audit Trail

Residency Enforcement

  • • SDK attaches x-residency metadata (EU, US)
  • • Policy Gateway validates constraints
  • • Router filters to compliant providers
  • • Compliance logs all decisions

Cache Storage

  • • Embeddings stored (not raw prompts)
  • • Scoped to policy fingerprint
  • • TTL-based expiration
  • • Invalidation on policy changes

Access Controls

Service/ComponentAuthenticationRotation Policy
Admin UIJWT (RS256)7 days
Internal ServicesHMAC-SHA256 / Bearer JWT90 days (planned)
Client SDKsAPI Key (HMAC)365 days
PostgreSQLPassword + SSL90 days

Role

Admin

Full access

Role

Finance

Reports only

Role

Auditor

Read-only

Role

Developer

Metrics access

Logging & Retention

Logging Standards

  • Format: Structured JSON via structlog
  • Max Size: 1KB per entry (truncated if exceeded)
  • Sanitization: PII redacted, secrets never logged
  • Levels: DEBUG (dev only), INFO, WARN, ERROR

Retention Policies

Application Logs90 days
Distributed Traces7 days
Prometheus Metrics30 days
Audit Logs7 years
Ledger EntriesIndefinite

Cryptography

Data in Transit

  • Client ↔ Gateway: TLS 1.3 (minimum TLS 1.2)
  • Internal Services: mTLS (planned); currently TLS-ready
  • Upstream Providers: TLS 1.2+ enforced
  • Certificates: Let's Encrypt (public); Enterprise CA (production)

Data at Rest

  • PostgreSQL: Transparent Data Encryption (TDE) planned
  • MinIO: Server-side encryption (SSE-S3 compatible)
  • Redis: No encryption (ephemeral cache only)
  • Backups: AES-256 encrypted before upload
ComponentAlgorithmPurposeRotation
PolicyEd25519 (256-bit)Sign policy versionsAnnually
LedgerEd25519 (256-bit)Sign ledger entriesNever (append)
JWTRS256 (2048-bit)Authenticate admin users90 days

Incident Response

RTO (Recovery Time)

Policy Gateway15m
Savings Ledger30m
PostgreSQL1h

RPO (Data Loss)

Policy Gateway0
Savings Ledger0
PostgreSQL15m

Security Contacts

General Inquiries

security@valensys.ai

Vulnerability Reports

security@valensys.ai

Compliance & Certifications

Current Compliance

  • GDPR Compliance (Data residency, subject rights)
  • CCPA Compliance (Privacy disclosures)

Roadmap

  • SOC 2 Type I (Target: Q2 2026)
  • ISO 27001 (Target: Q4 2026)

Need the Full Document?

The complete Security Brief with detailed technical specifications is available upon request.

Request Full Security Brief
Privacy Policy →SLA →System Status →