PeytonixAI is built for organizations that manage sensitive audit data in regulated environments. Security is foundational to our architecture, not an afterthought.
Architecture
For regulated deployments, PeytonixAI runs in customer-controlled AWS infrastructure. Customer audit metadata, automated test records, evidence storage, AI configuration, and encryption controls remain in the customer environment.
Application runtime, workflow execution, audit metadata, automated test definitions, execution history, exception records, and AI orchestration operate in the customer's AWS environment.
Evidence files are stored in customer-owned S3 buckets and encrypted with customer-controlled KMS keys.
Deployment, governance, and operational metadata only. It is not the system of record for customer business payloads.
Evidence Handling: In regulated customer deployments, evidence uploads and downloads use presigned URLs between the browser and customer S3. PeytonixAI stores metadata, verifies uploads before confirmation, and enforces access control and malware-scanning requirements. Automated test definitions, executed query history, exception payloads, and AI review results are retained in the customer runtime environment. Customer evidence contents are not stored in the PeytonixAI control plane.
Authorization
PeytonixAI applies least-privilege access controls across application roles, assigned entities, identity integrations, and customer AWS trust boundaries.
Predefined application roles support separation of duties across viewing, audit execution, review, management, and administration.
Users are assigned to specific entities such as business units, subsidiaries, and audit engagements. Access is automatically scoped to assigned entities so users only see the data relevant to their responsibilities.
All cross-account AWS access uses STS AssumeRole with mandatory ExternalId. This prevents confused deputy attacks where a malicious actor could trick PeytonixAI into accessing another customer's resources.
Authentication
SAML 2.0 and OIDC support for enterprise identity providers (Okta, Azure AD, Google Workspace, etc.).
SCIM lifecycle support is available in supported deployments for automated user provisioning and deprovisioning with supported identity platforms.
Signed access and refresh-token sessions include revocation controls. In customer-runtime deployments, user status and role changes are revalidated against the database on authenticated requests.
MFA can be enforced through the customer's identity provider or PeytonixAI's native MFA controls, depending on deployment requirements.
Data Protection
Evidence files in customer-owned S3 are encrypted with customer-controlled KMS keys. Customer runtime databases and supporting AWS services use encryption controls in the customer's AWS account, including retained automated test definitions, execution history, exception records, and AI review data.
Application and evidence traffic uses HTTPS/TLS. Presigned S3 transfers are time-limited and signed.
AI Governance
AI features are governed as part of the audit platform, not as an unmanaged sidecar.
In production customer-runtime deployments, AI credentials are expected in customer-owned AWS Secrets Manager. The platform fails closed when required AI credentials are missing or invalid.
Administrators can select approved providers and models, with allowlists, quota controls, and auditability around AI usage.
AI-generated changes are governed through proposal and review workflows. Sensitive mutations require user review and approval rather than silent auto-apply behavior.
AI usage is logged with provider, model, token, and correlation metadata. In customer-hosted deployments, AI configuration, usage metadata, and stored AI artifacts remain under customer-controlled runtime and storage boundaries.
Important: When AI is enabled, prompts and outputs are processed by the customer-selected provider using customer-managed credentials. Provider-side data handling remains subject to the customer's agreement with that provider.
Reliability
PeytonixAI is designed for resilient regulated deployments with fail-closed behavior, customer-controlled data boundaries, and documented recovery planning.
If authentication or authorization services become unavailable, the system denies access rather than failing open. This ensures security controls remain effective even during outages.
Production deployments are designed to fail closed when required customer storage, scanning, identity, or AI dependencies are unavailable or misconfigured. Recovery objectives and contractual service commitments are defined in customer agreements and deployment documentation.
Recovery Planning: Detailed availability objectives, backup and recovery settings, and deployment-specific resilience commitments are handled through customer deployment architecture, customer-controlled AWS services, and the applicable customer agreement.
Accountability
Security-sensitive events, governed mutations, approvals, and key system actions are written to an immutable audit trail with append-only and tamper-detection controls.
For regulated deployments, customer evidence buckets include AWS CloudTrail S3 data-event auditing as part of the baseline. Combined with application logs, this supports independent review of evidence access and system activity.
Assurance
Single-tenant, customer-hosted architecture aligned to regulated internal audit and control environments.
Security validation includes release gates, vulnerability scanning, and environment-specific qualification evidence. Additional testing documentation is shared as part of customer diligence.
Continuous scanning with defined remediation SLAs based on severity.
Contact sales@peytonixai.com or security@peytonixai.com for security documentation and diligence materials.
Vulnerability Reporting
We welcome responsible security research. If you discover a vulnerability, please report it to us privately.
Report security vulnerabilities to security@peytonixai.com. We commit to acknowledging receipt within 2 business days and providing regular updates on remediation progress.
Learn More
Our team is available to discuss your organization's security requirements and provide detailed documentation.
Legal Notice: This document describes PeytonixAI's security architecture and controls as of the publication date. Security practices evolve continuously. For the most current information, contact security@peytonixai.com. Nothing in this document constitutes a warranty or contractual commitment. Security commitments are defined in customer agreements.