At Innermost, we understand that adopting AI-powered learning solutions requires absolute trust in how your data is handled. Our security architecture is designed from the ground up to address the specific concerns enterprises face when evaluating AI-first platforms.
"Could our internal documents end up training someone else's model?"
No. Your data is never used to train models. We store data in MongoDB with separate logical databases per customer, ensuring complete isolation. Our agreements with LLM providers include Zero Data Retention — your content is processed and immediately discarded. For customers requiring additional control, we offer private LLM instances running on dedicated cloud infrastructure. These are binding, auditable commitments.
Where is my data hosted and processed?
Amazon Web Services, AWS. You're in control of your data at all times via the admin interface, including the ability to purge on demand. Your data resides on AWS in dedicated S3 buckets and is indexed in AWS hosted MongoDB databases. Each client receives a dedicated logical database with segregation built into the platform from the foundation. We use this indexed data to ground AI answers in your content. When you decide to purge data, partially or completely, all traces are removed and confirmed back to you with a full audit trail of the deletion.
"Who inside your company can see our data?"
Only authorized personnel operating under the principle of least privilege. Customer data for each organization is logically separated to prevent any commingling between
customers. Access to production systems is limited to essential personnel, requires multi-factor authentication, and generates comprehensive audit logs. All data views produce audit trails. Customers can determine what data to upload, how long it is retained, and whether content can be shared within their organization. No Innermost employee can access your data without explicit authorization and documented business justification.
"How do you secure your platform and address vulnerabilities?"
Continuous monitoring, rapid patching, and independent testing. We operate on the principle of minimal attack surface. Our infrastructure runs in ephemeral compute environments rebuilt frequently from hardened base images. No process runs as root, and credentials are never stored on machines; secrets are injected at runtime from AWS Secrets Manager. Every third-party dependency is pinned, tracked, and continuously scanned for known vulnerabilities. Critical and high CVEs are patched within 72 hours.
Are your security controls independently verified?
Yes. We use Halo Security. PCI DSS Approved Scanning Vendor, to continuously scan all internet-facing assets from an attacker's perspective. Halo provides external attack surface management including server vulnerability scanning, dynamic application security testing (DAST) for OWASP Top 10 risks and firewall scanning across all exposed ports and services. Findings are prioritized by risk score and remediated according to our patching SLAs.