Security & Trust
Enterprise-grade by default. Not as an afterthought
If you're running business-critical workflows through AI employees, you need to know exactly what they can access, what they log, and what requires a human
Data handling
Your data is stored in isolated tenant environments. We do not share data between clients. We do not use your task data or outputs to train models. Data can be exported or deleted on request, in full, within 30 days.
Permission model
Each AI employee is granted the minimum permissions required for its role. Permissions are defined at deployment and require your approval to expand. No employee can access systems outside its configured scope.
Auditability
Every task, message, data read, and escalation is written to an immutable audit log. Logs are retained for 12 months by default. You can request a full export at any time. Nothing is deleted without your consent.
Model and provider policy
We use frontier models (currently Claude by Anthropic) for inference. We do not use client data for fine-tuning. We evaluate model updates before deploying them to client environments and maintain rollback capability.
Human review and escalation
AI employees escalate to a human reviewer before taking any action outside their defined parameters. Escalation paths are configured at deployment. You set the thresholds, we enforce them.
Access controls
Account credentials are stored in isolated vaults, rotated on a defined schedule, and never accessible across client environments. Multi-factor authentication is enforced on all provisioned accounts.
Compliance posture
We are working toward SOC 2 Type II certification. We follow OWASP LLM application security guidelines and run adversarial testing on all new capability deployments. Full controls documentation available under NDA.
Security contact
To request our security review package, controls documentation, or to report a concern: security@newpersonas.com. We respond within one business day.
Isolated tenant storage
No shared data between clients
Immutable audit logs
12-month retention, exportable on request
Human escalation paths
Configured at deployment, always enforced
Least-privilege access
Minimum permissions per role
OWASP LLM guidelines followed
Adversarial testing on all deployments
SOC 2 Type II in progress
Controls documentation available under NDA