Security

Our Security Commitment

At S.O.T.A. SYSTEMS, security is not an afterthought—it's foundational to everything we build. We understand that you're entrusting us with your AI workloads, and we take that responsibility seriously.

This page outlines our security practices, infrastructure protections, and how we safeguard your data and API access.

Infrastructure Security

Self-Hosted on Kubernetes

We run our entire infrastructure on self-hosted Kubernetes clusters, giving us complete control over security:

• Isolated Workloads: All services run in separate namespaces with network policies
• Pod Security Standards: Enforced at the cluster level with strict admission controls
• Image Scanning: All container images scanned for vulnerabilities before deployment
• Secrets Management: Kubernetes secrets encrypted at rest and in transit
• RBAC: Role-based access control with principle of least privilege

NVIDIA DGX GB300s Infrastructure

• Physical Security: Data center with 24/7 monitoring, biometric access, and security personnel
• Hardware Security: Secure boot, TPM 2.0, and hardware-based encryption
• Network Isolation: Dedicated 100Gbps network with firewalls and VLANs
• Firmware Updates: Regular security patches and firmware updates

Database Security

We use self-hosted Supabase (PostgreSQL) with:

• Encryption at Rest: AES-256 encryption for all stored data
• Encryption in Transit: TLS 1.3 for all database connections
• Row Level Security (RLS): Fine-grained access control at the database level
• Automated Backups: Daily encrypted backups with geographic redundancy
• Network Policies: Database only accessible from authorized services

API Security

Authentication & Authorization

• API Keys: Cryptographically secure random keys with per-seat scoping
• JWT Tokens: Short-lived tokens for dashboard and account management
• OAuth 2.0: Standard authentication for third-party integrations
• Key Rotation: Support for rotating API keys without downtime

Request Security

• TLS 1.3: All API requests encrypted end-to-end
• Certificate Pinning: Available for enhanced security
• DDoS Protection: Multi-layer protection against volumetric attacks
• Rate Limiting: Per-seat rate limiting (not per-token) to prevent abuse
• Input Validation: All inputs sanitized and validated

Request Isolation

• Each API key operates in isolation
• No request data shared between users
• Separate model instances per concurrent stream
• Memory isolation between inference requests

Data Protection

What We DO NOT Store

This is critical: We do not log, store, or retain your API request content.

• Prompts: Your input prompts are never logged or stored
• Completions: Generated outputs are never retained after delivery
• Context: Conversation history is not stored on our servers
• Model Training: Your data is never used to train or fine-tune models

What We DO Store

We only collect minimal metadata for service operation:

• Request timestamps and response times (for monitoring)
• Model IDs and endpoint types (for routing)
• HTTP status codes (for debugging)
• Aggregate usage per API key (for billing)

All metadata is encrypted at rest and automatically purged after 90 days.

In-Transit Data

• TLS 1.3 encryption with perfect forward secrecy
• Strong cipher suites (AES-256-GCM)
• HSTS headers to prevent protocol downgrade attacks
• Certificate transparency logging

Monitoring & Incident Response

24/7 Security Monitoring

• Intrusion Detection: Real-time monitoring for suspicious activity
• Log Aggregation: Centralized logging with anomaly detection
• Alerting: Automated alerts for security events
• SIEM: Security Information and Event Management system

Incident Response Plan

• Documented incident response procedures
• On-call security team 24/7
• Defined escalation paths and communication protocols
• Post-incident analysis and transparency reports

Incident Communication

In the event of a security incident, we commit to:

• Notify affected users within 72 hours of discovery
• Provide transparent incident reports on our status page
• Share root cause analysis and remediation steps
• Update our blog with lessons learned

Access Controls

Internal Access

• Least Privilege: Team members only have access to systems they need
• MFA Required: Multi-factor authentication mandatory for all staff
• Audit Logs: All administrative actions logged and reviewed
• Background Checks: Security clearances for personnel with infrastructure access

Customer Access

• Account dashboard with 2FA support
• Per-seat API key management
• Session management and device tracking
• Audit logs of account activity

Compliance & Certifications

Current Compliance

• GDPR: European data protection compliance
• CCPA: California Consumer Privacy Act compliance
• SOC 2 Type II: In progress (target: Q2 2026)

Planned Certifications

• SOC 2 Type II audit (Q2 2026)
• ISO 27001 certification (2026)
• HIPAA compliance option for healthcare customers (2026)

Vulnerability Management

Proactive Security

• Regular penetration testing by third-party security firms
• Automated vulnerability scanning of all services
• Dependency monitoring and automated updates
• Security code reviews for all changes

Responsible Disclosure

We welcome security researchers to report vulnerabilities responsibly:

• Email: security@sota.systems
• PGP Key: Available on request
• Response Time: Initial response within 24 hours
• Bug Bounty: Program launching Q1 2026

What to Report

• Authentication or authorization bypass
• Remote code execution vulnerabilities
• SQL injection or other injection attacks
• Cross-site scripting (XSS) vulnerabilities
• Data exposure or leakage
• Any security issue that could impact our users

Disaster Recovery & Business Continuity

Backup Strategy

• Frequency: Continuous replication + daily snapshots
• Retention: 30-day retention for point-in-time recovery
• Encryption: All backups encrypted with unique keys
• Geographic Redundancy: Backups stored in multiple regions
• Testing: Monthly backup restoration tests

High Availability

• Multi-node Kubernetes clusters with automatic failover
• Load balancing across multiple inference servers
• Database replication with automatic failover
• Geographic distribution for disaster recovery

Third-Party Security

Vendor Management

• All third-party vendors undergo security assessment
• Data processing agreements (DPAs) with all vendors
• Regular vendor security reviews
• Minimal third-party dependencies

Current Vendors

• Payment Processing: Stripe (PCI DSS Level 1)
• Email Delivery: AWS SES (SOC 2 compliant)
• Infrastructure: Self-hosted on our own hardware

Security Best Practices for Users

Protecting Your API Keys

• Never commit API keys to version control
• Use environment variables for key storage
• Rotate keys regularly (we support zero-downtime rotation)
• Use separate keys for development, staging, and production
• Monitor key usage for anomalies

Securing Your Applications

• Implement rate limiting on your application layer
• Validate and sanitize user inputs before sending to our API
• Never expose API keys to client-side code
• Use server-side proxies for API calls from frontends
• Implement proper error handling that doesn't leak sensitive data

Transparency & Accountability

As part of our commitment to building in public, we:

• Publish security incident reports on our blog
• Share our security roadmap and improvements
• Maintain a public status page for uptime and incidents
• Welcome questions and feedback on our security practices
• Conduct regular security audits and share results

Contact Security Team

For security-related questions or to report vulnerabilities:

• Email: security@sota.systems
• General: hello@sota.systems
• Bug Bounty: Launching Q1 2026

Please do not publicly disclose security vulnerabilities until we've had a chance to address them.