PeytonixAI is built for organizations that manage sensitive audit data in regulated environments. Security is foundational to our architecture, not an afterthought.
Architecture
PeytonixAI uses a split architecture that separates application logic from customer data. Your sensitive evidence files remain in your AWS account at all times.
Application code, user interface, and orchestration logic. No customer evidence is stored here.
Evidence files stored in customer-owned S3 buckets, encrypted with customer-managed KMS keys.
Evidence Split Architecture: Evidence files are uploaded and downloaded directly between user browsers and customer S3 via presigned URLs. PeytonixAI servers never see, store, or process evidence file contents.
Authorization
PeytonixAI enforces access control at multiple layers to ensure users only access data they are authorized to see.
Five predefined roles with graduated permissions:
Users are assigned to specific entities (business units, subsidiaries, audit engagements). Access is automatically scoped to assigned entities only. Unauthorized entity access returns 404 (not 403) to prevent enumeration of entity IDs.
All cross-account AWS access uses STS AssumeRole with mandatory ExternalId. This prevents confused deputy attacks where a malicious actor could trick PeytonixAI into accessing another customer's resources.
Authentication
SAML 2.0 and OIDC support for enterprise identity providers (Okta, Azure AD, Google Workspace, etc.).
Automated user provisioning and deprovisioning via SCIM 2.0. Changes sync in real time.
JWT tokens with configurable expiration. Session invalidation propagates immediately on user deactivation or role change.
MFA enforced through customer identity provider. PeytonixAI honors MFA requirements set in your IdP.
Data Protection
All evidence files are encrypted using SSE-KMS with customer-managed keys. Customers control their own KMS key in their AWS account. PeytonixAI cannot decrypt evidence without assuming the customer-provided IAM role.
All traffic encrypted via TLS 1.2+. Presigned URLs for S3 uploads/downloads enforce HTTPS.
Reliability
If authentication or authorization services become unavailable, the system denies access rather than failing open. This ensures security controls remain effective even during outages.
If the customer's AWS account becomes unreachable, users can continue working with cached metadata. Evidence uploads/downloads are queued and resume automatically when connectivity is restored.
Accountability
All user actions, access decisions, and system events are logged to append-only storage. Logs cannot be modified or deleted, even by administrators. Default retention is 7 years for security events.
Customers can enable AWS CloudTrail on their evidence bucket for independent logging of all S3 access. Combined with PeytonixAI application logs, this provides complete audit coverage.
Assurance
Annual audit covering Security, Availability, and Confidentiality trust services criteria.
Annual third-party penetration test. Customers may conduct their own tests with coordination.
Continuous scanning with defined remediation SLAs based on severity.
Contact sales@peytonixai.com for SOC 2 report access or security documentation.
Vulnerability Reporting
We welcome responsible security research. If you discover a vulnerability, please report it to us privately.
Report security vulnerabilities to security@peytonixai.com. We commit to acknowledging receipt within 2 business days and providing regular updates on remediation progress.
Learn More
Our team is available to discuss your organization's security requirements and provide detailed documentation.
Legal Notice: This document describes PeytonixAI's security architecture and controls as of the publication date. Security practices evolve continuously. For the most current information, contact security@peytonixai.com. Nothing in this document constitutes a warranty or contractual commitment. Security commitments are defined in customer agreements.