DemosCompare
Back to FAQ

Resource

regular security audits AI customer service

Regular Security Audits and How We Reduce Attack Surface

instantAIguru runs regular internal security audits, tracks ISO 42001 controls, and reduces attack surface by architecture. Here is our real security practice, stated plainly.

Strong security is less about a long list of testing programs and more about a small attack surface plus honest, regular review. This article describes what instantAIguru actually does: regular internal audits, the AI-governance controls we are adopting, and the architectural choices that remove whole classes of risk before any test is needed.

Regular internal security audits

Regular internal security audits are performed against the platform.

ISO/IEC 42001 controls we are adopting

ISO/IEC 42001 is the management-system standard for AI. We follow its controls: AI lifecycle documentation, risk assessment, vendor oversight, incident response, and bias and quality monitoring, with certification on our 2026 compliance roadmap.

Security by architecture: removing risk instead of testing for it

The most reliable security control is an attack surface that does not exist. Several of our core design choices remove risk structurally:

  • Deterministic actions. JSFE removes the AI from action execution. The language model never decides what to call or with what parameters; conventional code does. Because the model is not in the path that commits actions, model output cannot trigger a transaction.
  • BYOC credential isolation. For voice, SMS, and WhatsApp the customer owns the Twilio and Meta accounts. We do not custody those carrier credentials, so they are not ours to leak.
  • A small data surface. Conversation history is the only persisted customer data, in a single AWS us-east-1 region, encrypted with AES-256 at rest and TLS 1.2+ in transit. All other vendor calls are stateless and leave nothing behind. Less stored data is less to protect.
  • No training on your data. Customer conversations are never used to train any model, by us or any vendor, so there is no secondary copy of your data inside a model to exfiltrate.

How the architecture limits AI-specific risk

The strongest property of the design is structural: because JSFE, not the model, controls every action, model output cannot trigger a transaction. The model generates natural language; conventional code decides what gets called. Retrieval is scoped to the customer's own indexed content, and when no relevant source exists the Guru routes to a guarded fallback rather than improvising.

Built on certified infrastructure

instantAIguru runs on SOC 2 Type II certified infrastructure. AWS, Cloudflare, and Stripe are SOC 2 Type II certified, and our published sub-processor list is kept current.

Security you can rely on

instantAIguru pairs regular internal security audits and ISO/IEC 42001 governance controls with an architecture that keeps the attack surface small: deterministic actions, BYOC credential isolation, a single encrypted data store, and SOC 2 Type II certified infrastructure underneath. The result is security that holds because of how the platform is built, not only how often it is tested.