Identity and access
Role-based access, workspace policy, custom roles, OIDC pilot, SCIM user provisioning, and audited administrative changes.
Trust center
Security evidence for buyers who inspect the details.
SwaYantra is built for teams that need auditable AI work: encrypted keys, customer data isolation, live controls, status communication, and a credible security-review path.
Security packet
Generated from live controls and evidence
CC6.1 / Logical access enforcementFresh
CC7.2 / Incident response workflowFresh
CC8.1 / Change evidenceDue soon
A1.2 / Availability monitoringFresh
Access
Roles live
Keys
Customer control
Incidents
Status-ready
Security-review path
Core buyer evidence, tied to product records.
Controls
Subprocessors
Audit export
Status process
Keys and providers
Managed trial budgets plus encrypted customer-owned keys for Anthropic, OpenAI, and Google.
Evidence automation
Tamper-evident audit events, exportable records, and trust evidence being validated for buyer reviews.
Data controls
Customer data isolation, export and deletion workflows, retention-policy review, and residency attestations.
Security posture
SwaYantra uses customer-scoped access checks, database-level isolation, CSRF protection, per-category rate limits, structured logs, service metrics, and runtime schema validation. Sessions are HttpOnly and SameSite=Strict. API keys are AES-256-GCM encrypted at rest and never revealed after creation.
Bring your own keys
Teams can start with managed trial keys and move to customer-owned provider keys when they want direct vendor ownership. SwaYantra supports Anthropic, OpenAI, and Google provider credentials. We store last-four metadata for display, redact secrets from logs, and exclude keys from privacy exports.
Compliance roadmap
- SOC 2 Type I evidence collection is mapped to live product controls and audit exports.
- SOC 2 Type II observation follows Type I completion.
- GDPR and CCPA export and deletion flows are part of the workspace administration experience.
- Custom roles and SCIM user provisioning are available today; OIDC is in pilot pending a security pass.
- SAML, SCIM group provisioning, automated dedicated-instance provisioning, and physical region pinning are coming or engineering-assisted.
Privacy and retention
We store workspace identity, invited users, audit entries, workflow metadata, and prompts or responses you explicitly save. We do not sell data, share it with advertisers, or train foundation models on customer data. Deletion uses a 30-day grace window unless an immediate hard-delete is requested at security@swayantra.ai.
Subprocessors
These services process customer data on our behalf. Customers receive 30 days notice before a material addition.
| Subprocessor | Purpose | Region |
|---|---|---|
| Stripe | Payments and billing | US / EU |
| Cloudflare | DNS, CDN, WAF | Global |
| Sentry | Optional error monitoring when configured | US; EU on request |
| Resend | Transactional email | US |
| GitHub | Source code and issue tracking | US |
| Hosting provider | Compute and Postgres | Per customer region |
Incident response
P0 incidents receive a customer notice within 30 minutes and a postmortem within 7 days. P1 incidents receive hourly updates until resolved. Security incidents requiring disclosure are communicated to affected customers within 72 hours of confirmed impact.
Vulnerability reports go to security@swayantra.ai. We respond within 2 business days.