Security

Security at Bolor Intelligence

Security is foundational to everything we build. As an enterprise AI platform handling sensitive data and critical decisions, we hold ourselves to the highest standards of data protection, access control, and operational security.

Security Features

Multiple layers of protection for your data and API access.

Encryption in Transit

All communication between your application and our APIs is encrypted using TLS 1.3. We enforce HTTPS on all endpoints and reject plaintext connections. HSTS headers are set with a 1-year max-age.

Encryption at Rest

All data stored in our databases, including knowledge graphs, audit logs, and user data, is encrypted at rest using AES-256 encryption. Encryption keys are managed through a dedicated key management service with automatic rotation.

API Key Security

API keys are hashed using bcrypt before storage. Full keys are shown only once at creation time. Keys support scoped permissions, IP allowlists, and expiration dates. Compromised keys can be revoked instantly through the dashboard.

Data Isolation

Each tenant's data is logically isolated at the database level. MindVault knowledge graphs, ComplianceGraph audit trails, and all product data are stored in tenant-scoped schemas. No cross-tenant data access is possible.

Access Control

Role-based access control (RBAC) governs access to the dashboard and API resources. Enterprise plans support SAML 2.0 and OIDC-based single sign-on (SSO). Multi-factor authentication (MFA) is available for all accounts.

Audit Logging

All API requests, dashboard actions, and administrative operations are logged with timestamps, user identity, IP addresses, and action details. Logs are retained for 90 days and are accessible through the ComplianceGraph audit API.

Compliance

Meeting industry standards and regulatory requirements for enterprise AI deployments.

SOC 2 Type II

In Progress

We are currently undergoing SOC 2 Type II audit with a leading independent auditor. The audit covers security, availability, and confidentiality trust service criteria. Expected completion: Q2 2026.

GDPR Compliance

Compliant

Our data processing practices comply with GDPR requirements. We offer Data Processing Agreements (DPAs) for enterprise customers and support data subject access requests, deletion requests, and data portability.

CCPA Compliance

Compliant

We comply with the California Consumer Privacy Act. We do not sell personal information. California residents can exercise their rights by contacting privacy@bolor.ai.

HIPAA

Available on Enterprise

Enterprise customers in healthcare can request HIPAA-compliant configurations, including a Business Associate Agreement (BAA), dedicated infrastructure, and enhanced audit logging.

Security Practices

Our security program encompasses development practices, infrastructure hardening, personnel policies, and continuous monitoring.

  • All code changes require peer review before merging to production
  • Automated security scanning (SAST and DAST) runs in our CI/CD pipeline on every commit
  • Dependencies are automatically scanned for known vulnerabilities using Dependabot and Snyk
  • Production access requires MFA and is restricted to a minimal set of engineers
  • Infrastructure is managed as code (Terraform) with version-controlled configurations
  • We conduct regular penetration testing through independent third-party security firms
  • Incident response procedures are documented and rehearsed quarterly
  • Employee security training is mandatory and conducted annually

Vulnerability Disclosure Program

Responsible disclosure

We welcome reports from security researchers who discover vulnerabilities in our systems. If you believe you have found a security issue, please report it responsibly.

Report Vulnerabilities To

security@bolor.ai

Guidelines

  • Provide a detailed description of the vulnerability and steps to reproduce.
  • Do not access or modify other users' data during testing.
  • Allow us reasonable time (90 days) to address the issue before public disclosure.
  • We will acknowledge your report within 48 hours and provide regular status updates.

We do not pursue legal action against researchers who follow responsible disclosure practices. Significant findings may be eligible for recognition.

Need More Details?

For enterprise security assessments, SOC 2 report requests, or custom compliance requirements, our security team is here to help.

Contact Security Team