Security & Compliance
Encryption, retention, deletion, training policy, GDPR, audit logs, RBAC, SOC 2, incident management, BCP/DR, vulnerability management, IP ownership.
Data residency
Tenants are pinned to a region at provisioning. Cross-region data movement is disabled. UK-only deployments use eu-west-2 (London) for both processing and storage. DR snapshots stay within the same residency boundary.
Encryption in transit
| Surface | Protocol | Notes |
|---|---|---|
| Public ingress | TLS 1.3 | Public CA cert. HSTS enforced. |
| Private peering | TLS 1.3 | Optional Azure Private Link. |
| Internal service-to-service | mTLS | Within Faction's VPC. |
TLS 1.2 disabled. TLS 1.0 / 1.1 / SSLv3 not accepted.
Encryption at rest
| Layer | Mechanism |
|---|---|
| Object storage | AES-256-GCM. Tenant-scoped DEKs, wrapped by tenant master keys in KMS. |
| Database | AES-256-GCM. |
| Backups | AES-256-GCM. |
| Model artefacts (tenant-tuned) | AES-256-GCM. Tenant-scoped. |
Master keys rotated on a 12-month cadence by default; faster on request or on suspected compromise. Key rotation is non-disruptive.
Data retention
| Data type | Default retention |
|---|---|
| Operational logs (request, latency, status) | 90 days |
| Model traces (inputs, outputs, confidence) | 30 days |
| Audit records | 7 years (or per contract) |
| Tenant business data (master, catalogue) | Per contract; deleted on termination. |
| Customer payloads (case bodies, attachments) | Configurable. Default: not retained beyond request window unless feedback mode requires it. |
All retention values are configurable per tenant.
Data deletion on termination
| Step | Detail |
|---|---|
| 1 | Termination notice received. |
| 2 | Deletion plan agreed: domains, timeline, return-of-artefacts. |
| 3 | Tenant placed in suspended state (no new processing). |
| 4 | Data deleted from production storage. |
| 5 | Backups purged on next backup cycle (default 35 days; can be expedited). |
| 6 | Signed deletion certificate issued. |
SLA: 30 days from termination notice for production deletion; 60 days for full backup purge.
Training policy
| Mode | Description | Default |
|---|---|---|
| Off | Inference-only. No tenant data used for training of any kind. | |
| Audit only | Inference only; rep-edit feedback stored for analytics, not training. | Default |
| Tenant-tuning | Tenant-scoped training using tenant data. Models stay tenant-scoped. | Opt-in. |
| Shared improvement | Aggregated, anonymized signals contribute to base-model improvement. | Opt-in. Never default. |
Mode changes require written approval from a tenant authorized contact. Audit trail records the change.
GDPR controls
| Right | Faction support |
|---|---|
| Art. 15 (access) | API endpoint and operational process. |
| Art. 16 (rectification) | API endpoint. |
| Art. 17 (erasure) | API endpoint. |
| Art. 18 (restriction) | API endpoint. |
| Art. 20 (portability) | Export to JSON or CSV via API. |
| Art. 21 (objection) | Operational process. |
PII detection runs at ingest. Detected sensitive PII (national IDs, financial accounts) can be redacted, hashed, or rejected, per tenant policy. Default: redact and flag in DQ report.
Audit logs
Every API call, configuration change, threshold decision, rep edit, and admin action produces an audit record. See Confidence & HITL for the schema.
| Export method | Notes |
|---|---|
| Real-time stream | Webhook to caller's SIEM. |
| Scheduled export | Daily or hourly file drop to S3, Azure Blob, or SFTP. |
| On-demand API | Query by tenant, time range, event type. |
Access controls
RBAC at three layers:
| Layer | Roles |
|---|---|
| Tenant | owner, admin, operator, viewer. |
| Service | Service-account scopes (per-module fine-grained: intent.classify, extract.quote, etc.). |
| Dataset | Dataset-level read / write per role. |
Faction's own staff access is restricted to break-glass scenarios, requires tenant approval per access, and is fully logged. Background checks performed on Faction staff with admin privileges.
SOC 2
| Status | Detail |
|---|---|
| SOC 2 Type I | In progress; report expected by Q3 2026. |
| SOC 2 Type II | On roadmap; report expected by Q1 2027. |
| Trust center | Available with current attestations, policies, and DPIAs. |
Pre-attestation, controls are documented and operationally enforced; auditor walkthroughs available on request.
Incident management
| Severity | Definition | Customer comms |
|---|---|---|
| P1 | Service unavailable or major data integrity issue. | Initial within 15 min. Hourly updates. Post-mortem within 5 business days. |
| P2 | Degraded service; subset of tenants affected. | Initial within 60 min. Update every 4 hours. Post-mortem within 10 business days. |
| P3 | Minor degradation; no tenant-visible impact yet. | Optional notification. Post-mortem internal. |
24/7 on-call rotation. Status page maintained. P1 paging hits a designated tenant contact.
Business continuity
| Aspect | Position |
|---|---|
| Deployment topology | Multi-AZ within region. |
| Backup cadence | Continuous (CDC) for transactional data; daily snapshots for derived indexes. |
| RTO target | 4 hours for full service. |
| RPO target | 15 minutes for transactional data. |
| DR exercise cadence | Annual full exercise; quarterly partial. |
| BCP doc | Available under NDA. |
Vulnerability management
| Activity | Cadence |
|---|---|
| SCA (dependency scanning) | Continuous, on every build. |
| SAST | On every PR. |
| DAST | Weekly against staging. |
| Container image scanning | On every push. |
| Third-party pen test | Annual; report shareable under NDA. |
| Bug bounty | Operational. |
CVE patching SLA:
| Severity | SLA |
|---|---|
| Critical (CVSS 9.0+) | 7 days |
| High (CVSS 7.0–8.9) | 30 days |
| Medium (CVSS 4.0–6.9) | 90 days |
| Low (under 4.0) | Next quarterly cycle |
Subprocessors
Subprocessor list maintained and shared on request. Material additions notified in advance with right of objection per the standard DPA. Current categories: cloud infrastructure (Azure, EU regions), observability, email delivery.
IP and model ownership
| Asset | Owner |
|---|---|
| Faction base models | Faction |
| Faction platform code | Faction |
| Tenant-tuned model artefacts | Tenant (when tenant-tuning is enabled) |
| Configuration (taxonomy, schemas, thresholds, rules) | Tenant |
| Outputs (extracted fields, match results) | Tenant |
| Inputs (case payloads supplied by tenant) | Tenant |
| Aggregate platform improvements derived without tenant-identifiable data | Faction |