How Cisora protects your data.

Cisora records metadata about what your AI agents did — which tools they called, how long it took, what credentials they touched. We never see your model weights, your training data, or your customers' raw inputs.

You bring your own Anthropic / OpenAI / Bedrock key. It never touches our servers. The SDK wraps your calls locally and only emits structured metadata to /api/agent/events.

The API keys you generate at /settings/keys are stored in our database as bcrypt hashes. We index by the first 16 characters (the key prefix shown in your UI) for fast lookup, and verify the full key with bcrypt on every request.

Customer AWS / GitHub / Anthropic credentials submitted to our integrations layer are encrypted at rest using AES-256 in AWS RDS, never logged, never included in error messages.

All Cisora infrastructure runs in AWS ap-south-1 (Mumbai). TLS 1.2+ in transit (managed by AWS ALB + ACM). The database is in a private VPC subnet with no public internet access — only our ECS tasks can reach it.

• We don't store your raw model prompts unless you explicitly opt in.
• We don't share data with third parties for training, advertising, or analytics.
• We don't store the value of secrets we detect — only the fact a secret was used + its prefix hash.
• We don't auto-create accounts or auto-grant permissions on your behalf.

Send vulnerability reports to contact@cisora.io. We acknowledge within 48 hours and respond with a fix timeline within 7 days for confirmed issues.

Cisora provides formal legal agreements for customers who need them. All agreements are available for review and can be executed on request.

• Trust & Compliance hub — central page with all legal documents and security overview.
• Data Processing Addendum (DPA) — GDPR-compliant data processing agreement.
• Business Associate Agreement (BAA) — HIPAA coverage for healthcare customers.

SOC 2 Type I audit in progress. Report available to enterprise customers under NDA — email legal@cisora.io.