aadjudo.
Security & Compliance

Built for regulators,
not just demo days.

Every Adjudo decision is encrypted, audited, and cryptographically signed — by construction, not by policy memo. Here's how.

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest. Per-tenant encryption keys, rotated quarterly. KMS-managed (AWS KMS / HashiCorp Vault on-prem).

Signed by construction

Every adjudication writes an HMAC-SHA256-signed audit row, hash-chained to the previous row. Tampering breaks the chain. UPDATE / DELETE are revoked at the database role.

Cloud or on-prem

Hosted in AWS us-east-1 (US) and ap-south-1 (India). Single-tenant VPC available. NABH-bound hospitals can run a full air-gapped install on a single GPU appliance.

Least-privilege access

SSO via SAML / OIDC. Role-based access with row-level security on Postgres. All production access goes through short-lived credentials and bastion hosts. Customer PHI is never accessible to engineers without a logged JIT request.

Audited end-to-end

Every API call, every model inference, every reviewer decision is logged with prompt SHA-256 and model version. Logs retained for 8 years to meet IRDAI requirements.

No training on your claims

We never train on customer data without explicit opt-in. If you opt in to a custom fine-tune, training runs in your tenant on your data, and the weights stay yours.

Compliance posture

We'd rather under-promise on certifications than over-promise. Here's exactly where we are.

HIPAA
United States
Aligned · BAA available on Growth and Enterprise
Technical and administrative safeguards mapped to HIPAA Security Rule (45 CFR §164). PHI access is JIT-gated and logged.
IRDAI
India
Audit-grade · 8-year retention by default
Adjudication audit trail is append-only, signed, and chained. Decision provenance is reproducible from prompt SHA-256 + model version.
DPDP Act
India
Aligned · India data residency by default
Indian customer data stays in ap-south-1 unless explicitly contracted otherwise. Consent and erasure flows supported.
SOC 2 Type II
Global
In progress · Type II report expected 2026
Currently operating to SOC 2 controls. Type I report available under NDA. Type II observation window underway.
ISO 27001
Global
Roadmap · 2027
Planned after SOC 2 Type II. ISMS controls already mapped internally.

Sub-processors

Vendors with potential access to customer environments. PHI never touches the marketing-site stack.

VendorPurposeRegion
AWSPrimary cloud (us-east-1, ap-south-1)US, India
Lambda LabsGPU compute for inferenceUS
BrevoTransactional email (waitlist, alerts)EU
VercelMarketing site hosting (no PHI)Global edge
CloudflareDDoS / WAFGlobal edge

Vulnerability disclosure

Security researchers — please report findings responsibly. We don't run a paid bounty yet, but we acknowledge every valid report and credit researchers in our hall of fame.

  • Email security@adjudoai.com (PGP key on request)
  • Response within 2 business days
  • Triage and remediation timeline shared within 7 days
  • Please don't access PHI you aren't entitled to
Talk to security