How Egret Handles Security and Compliance

When you're building tools for regulated industries, security isn't a feature — it's a prerequisite. Here's how Egret approaches data protection, encryption, and compliance.

Data isolation

Every organisation's data is fully isolated at the storage layer. Documents, embeddings, and session logs are stored in per-tenant partitions with strict access controls. There is no shared index between organisations.

Encryption

All data at rest is encrypted with AES-256. Data in transit uses TLS 1.3. Encryption keys are managed through AWS KMS with automatic rotation.

Zero-training-exposure

We have a firm policy: customer data is never used to train, fine-tune, or improve any language model. Egret uses Amazon Bedrock, which provides the same guarantee — queries are processed and immediately discarded by the model provider.

Access controls

Egret supports role-based access control at the organisation level:

• Owner — Full access including billing, API keys, and organisation settings
• Admin — Manage domains, sessions, and members
• Member — Query and view sessions

API keys can be created with scoped permissions, and all actions are logged in an immutable audit trail.

Infrastructure

Egret runs on AWS with infrastructure deployed across multiple availability zones. For Enterprise plans, we offer private VPC deployment with dedicated compute resources and custom data residency options.

Compliance roadmap

We're actively working toward SOC 2 Type II certification and plan to complete the audit by Q3 2026. If you have specific compliance requirements, get in touch — we're happy to discuss our controls in detail.