← Back to Eldari

Security at Eldari

Enterprise-grade security is foundational to the Eldari platform. We protect your research data, intellectual property, and personal information at every layer.

Data Protection

Multi-Tenant Isolation

Every organization on Eldari operates within a strictly isolated tenant boundary. Data never crosses organizational boundaries — including vector embeddings, documents, masking rules, and workflow outputs. Tenant isolation is enforced at the database, storage, and vector store layers.

Encryption at Rest and in Transit

All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 encryption across all storage layers, including databases, blob storage, and vector indices.

Customer-Managed Encryption Keys (BYOK)

Enterprise customers can bring their own encryption keys via Azure Key Vault. Eldari uses envelope encryption: a random AES-256 data encryption key (DEK) encrypts your data, and your customer-managed key (CMK) in Azure Key Vault wraps the DEK. You retain full control over key rotation and revocation.

Automatic PII & IP Masking

Ingested documents pass through a multi-layer masking pipeline that detects and redacts personally identifiable information (PII) and sensitive intellectual property. This includes biomedical named entity recognition (NER), pattern-based detection for emails, phone numbers, SSNs, and credit card numbers, IP-specific regex masking, and custom tenant-defined masking rules. All masking produces immutable version history for full auditability.

Authentication & Access

Single Sign-On (SSO)

Eldari supports SSO via Microsoft Entra ID using the SAML protocol. Organizations can enforce SSO-only login, disabling password-based authentication for their domain.

Multi-Factor Authentication

Email/password accounts support TOTP-based multi-factor authentication (MFA). Users can enable MFA through any standard authenticator app. When enabled, a valid 6-digit code is required at every login.

Role-Based Access Control

Access is governed by role-based permissions at the tenant level. Supported roles include Admin and Member, with Admins having full tenant management capabilities including user management, billing, and configuration.

Session Management

Authentication uses short-lived JWT access tokens with refresh token rotation. Account lockout is enforced after repeated failed login attempts. Password reset tokens are HMAC-hashed and time-limited. All authentication events are logged to the audit trail.

Infrastructure

Microsoft Azure (Canada Central)

Eldari is hosted entirely on Microsoft Azure in the Canada Central region. All data storage, processing, and compute resources remain within Azure infrastructure. No customer data is stored outside of Azure.

Container-Based Architecture

The platform uses containerized services with blue-green deployment strategies, enabling zero-downtime updates and rapid rollback capabilities.

Security Updates

Container images and dependencies are regularly updated and patched. Security advisories are monitored and addressed on a continuous basis.

Compliance

Regulatory Readiness

The Eldari platform architecture supports compliance with HIPAA, SOC 2, GDPR, and 21 CFR Part 11 requirements. Specific certifications are in progress — contact us for the latest status.

Audit Trails

Every significant platform action is logged to a comprehensive audit trail, including logins, password changes, data access, masking corrections, and workflow executions. Audit logs include timestamps, user identifiers, IP addresses, and action outcomes.

Immutable Version History

All document processing creates immutable version snapshots. Every transformation — from raw ingestion through masking and correction — is tracked with full lineage, enabling complete reproducibility and traceability.

Data Minimization

Automated PII and IP masking ensures that sensitive information is redacted before data enters the vector store or is used in content generation workflows, supporting data minimization principles.

AI & Data Handling

Tenant-Isolated Corpus

Your corpus data is stored in tenant-isolated vector namespaces. RAG queries are scoped to your organization's data only. There is no cross-tenant data leakage in search or generation.

Grounded AI Outputs

All AI-generated content is grounded in your uploaded data, not in model training data. Workflow outputs include inline citations referencing your source documents, enabling verification of every claim.

External AI Providers

Eldari integrates with OpenAI and Anthropic via API-only access. Your data is sent for processing only and is not used for model training by these providers. API calls are subject to each provider's enterprise data processing agreements.

Compliance Risk Scanning

Content workflows include built-in risk scanning that flags potential compliance issues, unsupported claims, and regulatory concerns before content is published.

Incident Response

Security Contact

For security concerns or to report a vulnerability, contact us at jessica@eldaribio.com.

Responsible Disclosure

We welcome responsible security disclosures. If you discover a potential vulnerability, please report it to our security team. We commit to acknowledging reports within 2 business days and providing a resolution timeline within 5 business days.

Regular Security Reviews

The Eldari platform undergoes regular internal security reviews covering code, infrastructure, access controls, and dependency management.

Need more details?

We are happy to discuss our security posture in detail with your team and provide documentation for your vendor review process.

Download Security WhitepaperContact Security Team

This page describes our security practices and is provided for informational purposes only. It does not constitute legal advice or a contractual commitment. Please consult with qualified legal counsel regarding your specific compliance requirements.