Trust & Security

Security at Liya Engine

Enterprise-grade security built into every layer of the platform — from network isolation to AI output guardrails.

Encryption at rest & in transit
All data stored on our infrastructure is encrypted using AES-256. All data in transit is encrypted using TLS 1.2 or higher. We do not transmit plaintext credentials or sensitive data over unencrypted channels.
API authentication
Every API request is authenticated using scoped API keys or short-lived JWTs. Keys are hashed before storage — we never store plaintext secrets. Rotate keys instantly from your dashboard at any time.
Tenant isolation
Customer data is logically isolated at the data layer. API requests, retrieval indices, trace logs, and configurations are scoped to your organization ID and are not accessible to other tenants.
Access controls & audit logs
Internal access to production systems follows least-privilege principles. All administrative access requires MFA. Every access event is logged to an append-only audit trail with tamper-evident properties.

Infrastructure Security

Liya Engine runs on enterprise-grade cloud infrastructure with the following protections:

  • Network isolation: Production workloads run in isolated virtual private networks (VPCs) with strict inbound/outbound firewall rules. No production service is exposed to the public internet beyond required API endpoints.
  • DDoS protection: Network-level DDoS mitigation is provided by our infrastructure and CDN layers.
  • Encryption at rest: All persistent storage is encrypted using AES-256.
  • Encryption in transit: All API and web traffic is encrypted using TLS 1.2 or higher. TLS 1.0 and 1.1 are disabled.
  • Availability: Our infrastructure is designed for high availability with redundancy across multiple availability zones.

Application Security

API Authentication

All API requests must be authenticated using either a scoped API key or a short-lived JWT issued by our authentication service. API keys are hashed with bcrypt before storage — the plaintext key is shown only once upon creation. Keys can be rotated or revoked instantly from the dashboard.

Rate Limiting and Input Validation

Every API endpoint enforces rate limits at both the IP and account levels to prevent abuse and protect platform availability. Inputs are validated for type, length, and content before processing. Malformed or oversized requests are rejected before reaching core processing systems.

Output Guardrails

The Liya Engine guardrails system applies configurable safety filters to AI inputs and outputs — including content moderation, PII detection, domain-specific compliance filters, and custom blocklists. Guardrail events are logged to the trace system for audit purposes.

Access Controls

  • Least privilege: Internal employees and systems are granted the minimum permissions required for their role. Permissions are reviewed regularly.
  • MFA: Multi-factor authentication is required for all internal access to production systems and administrative tooling.
  • Audit logs: All administrative actions, data access events, and configuration changes are recorded in an append-only audit log. Logs are retained for a minimum of 12 months.
  • Offboarding: Access is revoked immediately upon employee or contractor offboarding.

Data Handling

  • No training on customer data: We do not use data submitted through the API to train, fine-tune, or improve any AI model — ours or any third party’s.
  • Tenant isolation: Data is logically isolated per customer organization at the storage and retrieval layers. No cross-tenant data access is possible in normal operation.
  • Retention: API request metadata is retained for 90 days by default. Account data is retained for 90 days after account deletion. For details, see our Privacy Policy.

Compliance Posture

SOC 2 Type II — in progress
HIPAA BAA available
GDPR compliant
EU SCCs available

SOC 2 Type II: We are actively working toward SOC 2 Type II certification. Our controls framework covers Security, Availability, and Confidentiality trust service criteria. We expect to complete our first Type II audit in 2026.

HIPAA: A Business Associate Agreement (BAA) is available for customers who process Protected Health Information (PHI) through our platform. Contact [email protected] to request a BAA.

GDPR: We comply with GDPR obligations as a data processor. Our Data Processing Agreement is available to customers who need it. EU Standard Contractual Clauses (SCCs) are available for international transfers.

Vulnerability Disclosure

We take security vulnerabilities seriously. If you believe you have found a security vulnerability in our platform, we ask that you disclose it to us responsibly before making it public.

To report a vulnerability: Email [email protected] with a description of the issue, steps to reproduce, and potential impact. We will acknowledge your report within 24 hours and aim to provide an initial assessment within 5 business days.

Responsible Disclosure Program

Liya Engine operates a responsible disclosure program. We ask researchers to:

  • Not access, modify, or delete customer data during testing.
  • Not perform denial-of-service attacks or disruptive testing against production systems.
  • Not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate.

In return, we commit to working with researchers in good faith, providing timely responses, and crediting responsible disclosures where the researcher wishes to be recognized.

Contact: [email protected]

Last updated: April 8, 2026