top of page

DRAI Security & Compliance Statement

At Data Room AI (“DRAI”), protecting customer data is core to our mission.

Effective: October 1, 2025

This Statement summarizes our security practices, compliance roadmap, and commitments. It supplements our Data Processing Addendum (DPA), Privacy Policies, and Terms of Use, and is governed by the laws of the State of Delaware.

0. Definitions

Simple: Key terms defined for clarity.

  • Security Incident: Any event compromising the confidentiality, integrity, or availability of data, including unauthorized access (per NIST SP 800-53).

  • Breach: A Security Incident leading to unlawful destruction, loss, alteration, or unauthorized disclosure/access of Personal Data (GDPR Art. 4(12)).

  • Prohibited Data: Specially protected data including Controlled Unclassified Information (CUI), Classified Information under U.S. law, Protected Health Information (PHI) under HIPAA, and export-controlled data under ITAR/EAR.

  • Controlled Unclassified Information (CUI): Information the U.S. Government designates as requiring safeguarding or dissemination controls consistent with applicable laws and regulations.

  • Compensating Controls: Alternative security measures implemented to satisfy the intent of a control when technical or operational limitations prevent full implementation.

  • AWS Config Compliance: The use of AWS Config managed rules and configurations to continuously monitor and enforce compliance with security policies and standards.

  • Other terms (e.g., “Personal Data,” “Subprocessors,” and “Customer Provided Data”) are as defined in our DPA.

 

1. Security Principles

Simple: Security by design, enhanced for cloud environments.

  • Least Privilege: Role-based access controls (RBAC) enforced via AWS Identity and Access Management (IAM), managed through Terraform infrastructure-as-code with version control and audit trails.

  • Encryption Everywhere: TLS 1.2+ in transit; AES-256 at rest, implemented using AWS native services.

  • Cloud-Native Security Controls: Continuous compliance monitoring via AWS Config and CloudTrail, with documented exceptions managed through compensating controls.

  • Segregation: Each enterprise customer receives a dedicated Virtual Private Cloud (VPC) subdomain.

  • Auditability: All actions logged and accessible through AWS Config compliance dashboards and CloudTrail logs, enabling enterprise admins to monitor and investigate activity.

  • Exception Management: Documented exceptions to AWS Config rules or policies are justified, reviewed, and monitored to maintain compliance posture.

  • AI Security: LLM inference pipelines are hardened; models undergo vulnerability scans; alignment with NIST AI Risk Management Framework (RMF).

 

2. Hosting & Data Residency

Simple: Data stays in the U.S., aligned with DoD and regulatory requirements.

  • Tiers 0–1: AWS East/West (commercial).

  • Tiers 2–3: AWS GovCloud East/West.

  • Data Sovereignty: No cross-border transfers without explicit agreement.

  • Service-Managed Log Buckets: Certain AWS service-managed log collector buckets are excluded from specific logging rules due to technical limitations (e.g., circular logging), with compensating controls such as restrictive bucket policies and CloudTrail activity logging in place.

  • International Subprocessors: (e.g., Mistral.AI in France, Jina AI in Germany, Cohere in Canada) use safeguards such as Standard Contractual Clauses (SCCs), adequacy decisions, or the EU-US Data Privacy Framework.

 

3. Data Protection & Privacy

  • Chat content is always logged and stored in customer-specific VPCs.

  • Customer Provided Data is managed by enterprise admins via DRAI’s file manager, with explicit responsibility to avoid uploading Prohibited Data.

  • Privacy is governed by the Privacy Policy, Enterprise Privacy Policy, and DPA.

  • Audit logs and activity monitoring are managed using AWS CloudTrail and AWS Config, supporting accountability and traceability.

  • Encryption standards (TLS 1.2+, AES-256) are implemented across data in transit and at rest.

 

4. Compliance Roadmap

Simple: We’re building toward higher compliance.

  • CMMC Level 1: Aligned with DoD’s final CMMC rule (effective November 10, 2025), including documented exceptions with justifications and compensating controls maintaining overall compliance posture.

  • CMMC Level 2: Architecture revisions planned for Q2 2026; alignment with DoD requirements targeted by Q4 2026.

  • SOC 2, HIPAA, & ISO 27001: Gap assessments to be conducted following CMMC Level 2 architectural completion.

  • Export Controls: Customers must comply with all applicable ITAR/EAR laws.

  • AI Security: Practices align with NIST AI Risk Management Framework (RMF).

 

5. Sub-processors & Dependencies

DRAI relies on sub-processors, each bound by DPAs ensuring compliance. Key vendors include:

  • AWS – Hosting (U.S.).

  • OpenAI – LLM services (U.S.).

  • Mistral.AI – OCR/document processing (France).

  • SERPER – SERP-based search (Spain).

  • FIRECRAWL – LLM web crawling (U.S.).

  • Jina AI – Site authority analysis (Germany).

  • Cohere – Site authority analysis (Canada).

  • Support Tools – Ticketing/monitoring (U.S., unless otherwise disclosed).

Outages or performance degradation from sub-processors are force majeure events under our SLA.

DRAI and its customers operate under a shared responsibility model with AWS, where AWS manages infrastructure compliance, and DRAI manages service configurations, documented exceptions, and compensating controls.

 

6. Security Features for Customers

  • RBAC and Single Sign-On (SSO) support.

  • Admin-level audit logging of key system usage via AWS Config and CloudTrail.

  • Configurable file retention and deletion policies for Enterprise Customers.

  • Optional onboarding and compliance reviews (tier-specific), including validation of documented exceptions and compensating controls.

 

7. Customer Responsibilities

Simple: Security is shared.

  • Enterprise admins configure access controls internally and govern IAM policies via infrastructure-as-code where applicable.

  • Enterprise admins monitor audit logs and compliance dashboards to enforce organizational policies.

  • Customers must not upload Prohibited Data.

  • Customers are encouraged to review and approve documented exceptions and compensating controls as part of their compliance governance.

 

8. Incident Response

  • Security incidents are promptly logged, triaged, and remediated.

  • Incident detection leverages AWS CloudTrail and AWS Config monitoring.

  • Breach notifications are sent within 72 hours of confirmation, including incident details, affected data, mitigations, and support for Customer’s regulatory obligations (U.S. Federal and State laws, GDPR, etc.).

 

9. Contact

DRAI Commercial Services Inc.
621 23RD ST NW, Naples, FL 34120
Email: corey@product-ties.com

 

10. Miscellaneous

Simple: Standard legal protections.

  • Governing Law: Delaware law governs; disputes resolved per Terms of Use.

  • Severability: If any provision is invalid, others remain in force.

  • Entire Understanding: This Statement, together with the DPA, Privacy Policies, and Terms of Use, constitutes the entire understanding regarding security and compliance.

  • Version Control: This Statement will be reviewed and updated periodically to reflect changes in compliance posture, regulatory requirements, and cloud service configurations.

  • Revision History:

    • Version 1.0 (Oct 1, 2025): Initial release aligned with CMMC Level 1 compliance and AWS environment specifics.

bottom of page