Security & Compliance

Security architecture you can hand to your procurement team.

InductIQ handles workplace incident data — sometimes including injury details, medical narratives, and worker identities. We design every system surface around the principle that this data belongs to the customer, never to us, and never to a model trainer.

Compliance status

• All traffic encrypted in transit with TLS 1.3 (HSTS enforced).
• Data at rest encrypted with AES-256 on MongoDB Atlas-equivalent storage.
• Session cookies are HttpOnly, Secure, SameSite=None — no client-readable session tokens.
• Passwords stored as bcrypt hashes (cost factor ≥12) — never reversible.
• API tokens (cron / external integrations) are stored as SHA-256 hashes; only the prefix is visible after creation.

• Role-based access control: admin vs user roles enforced at every authenticated endpoint.
• Google OAuth (Emergent-managed) with optional local username/password fallback.
• Tenant isolation: every report, document, and audit row carries an owner identifier; no query joins cross tenants.
• Public surfaces (/witness/{token}, /hotline/{token}, /embed/{id}) use signed short-lived or rotatable tokens; never expose tenant identifiers in URLs.
• Admin-only IP-rate-limited audit-log endpoint with full CSV export.

• All data is tenant-isolated and owned by the customer. We act as processor only.
• OSHA records retained 5 years per 29 CFR 1904; other operational data retained per customer policy.
• Soft-delete with explicit hard-purge on customer request, audited in the system audit log.
• Inline incident photos stored as base64 blobs alongside the report record — never on third-party CDNs.
• Worker dictations sent to the LLM are stripped of large blobs (photos) before transmission to minimize data exposure.

• All AI features (triage, polish, intake-assist, voice transcription) are powered by our patent-pending AI pipeline, which routes through a zero-retention LLM gateway.
• No customer data is used to train any model. Only the single completion request is forwarded — zero retention beyond the request lifecycle.
• Photo fields are stripped before any LLM call. Form fields longer than 2000 characters that look like blobs are skipped.
• AI invocations are logged in a TTL-pruned llm_invocations collection (30-day retention) for audit + cost reporting.
• Critical-severity auto-paging passes only the AI-generated summary + case ID + location to downstream Twilio/Slack/Teams webhooks — never the raw narrative.

• Today: Google OAuth via Emergent, plus local username + bcrypt-hashed password.
• Roadmap: SAML 2.0 SSO with Okta, Microsoft Entra ID, OneLogin (Q3 2026).
• Roadmap: SCIM 2.0 provisioning for automatic user de-provisioning on offboard (Q4 2026).
• Two-factor authentication via TOTP for local accounts (Q2 2026).

• Hosted on Kubernetes (Emergent platform) with auto-restart on health-check failure.
• Daily encrypted database backups with point-in-time recovery (30-day window).
• Supervised processes auto-restart on crash; preview and production are isolated environments.
• Frontend served via global CDN; backend latency SLO 99% of API calls under 500 ms.
• Status page and uptime monitoring available on request.

• Internal incident response: severity-1 production incident → on-call paged within 5 minutes via the same SMS/Slack/Teams plumbing customers use.
• Customer notification: confirmed data breaches communicated to affected customer admins within 72 hours.
• Post-mortem published within 14 days of any sev-1 incident, redacted for customer privacy.
• Bug bounty program in development for Q2 2026.

Sub-processors

InductIQ uses the following sub-processors to deliver the service. All are bound by data-processing agreements (DPAs) consistent with the customer's primary agreement with WorkSafeAgent.