TRUST CENTER

Verifiable Trust, Engineered for Security Leaders.

Q: How do I request data deletion?

Submit a deletion request to privacy@innora.ai. We process all requests within 30 days in compliance with applicable data protection regulations.

Our commitment to security is not a promise — it is a verifiable reality. Built by a CISSP-certified security expert, Innora.ai uses code and automated processes to construct trust, not marketing claims.

SOC 2 Type IIRoadmap

GDPRAligned

TransparentBy Design

Trust evidence hierarchy

The strongest public proof appears first: published research, methodology, disclosure operations, and inspectable engineering surface.

Evidence rule

Every claim below links to a source a buyer can verify.

Published research record

31 CVEs / 15 MITRE tickets

The research timeline documents the 48-hour vulnerability sprint, confirmed MITRE tickets, and coordinated disclosure status.

Research timeline

Methodology disclosure

AI-assisted audit method

The methodology article explains target selection, sanitizer verification, three-model validation, and coordinated disclosure boundaries.

31-CVE methodology

Security reporting channel

Canonical security.txt

The disclosure policy gives researchers a stable contact path, policy URL, acknowledgments route, preferred language, and expiry date.

security.txt

Public engineering surface

Open security tooling

The public GitHub organization exposes security projects, examples, and implementation signals that buyers can inspect independently.

sgInnora GitHub

AI crawler policy

How AI crawlers should discover and cite Innora

Innora publishes crawler-facing assets for public discovery, answer routing, citation freshness, and responsible security reporting. Private APIs and build artifacts remain blocked from crawler access.

Crawler access policy

Robots rules allow public content discovery for search and AI crawlers while blocking private, API, and build-output surfaces.

/robots.txt

AI answer target map

llms.txt lists priority pages, product proof routes, citation guidance, and freshness metadata for AI answer engines.

/llms.txt

Canonical public route inventory

The sitemap is the source of truth for public pages that should be discoverable, cited, and audited.

/sitemap.xml

Security disclosure policy

security.txt gives researchers a stable reporting channel, policy URL, acknowledgment route, and expiry date.

/.well-known/security.txt

Compliance & Certifications

We pursue industry-recognized standards to provide verifiable evidence of our security posture.

Roadmap

SOC 2 Type II

Internal SOC 2 readiness controls implemented. External Type II audit on the enterprise roadmap; not yet engaged.

Progress40%

Aligned

GDPR

Data processing aligned with GDPR requirements. Custom DPA can be drafted on request for enterprise customers.

Active

Transparent by Design

Open-source core components, public status page, and a vulnerability disclosure program from day one.

Security Architecture & Practices

We follow a 'distrust by default' architectural principle. Every access request is verified independently, regardless of source.

Zero Trust

Mutual TLS (mTLS) for all service-to-service communication
Least-privilege access control with fine-grained RBAC
Default-deny network policies across all environments
Continuous verification — no implicit trust from any source
Comprehensive audit logging of all authorization events

Data Security

TLS 1.3+ encryption for all data in transit
AES-256 encryption for all data at rest
Logical tenant isolation in multi-tenant environments
Automated secret rotation and vault-based key management
Data classification and handling policies enforced programmatically

Infrastructure

Production hosted on AWS with multi-AZ redundancy
Infrastructure as Code (IaC) — all changes auditable via Git
Mandatory MFA for all internal system access
Network segmentation with private subnets and bastion hosts
Automated vulnerability scanning on every deployment

Supply Chain

Automated dependency scanning with cargo-audit and Snyk
Software Bill of Materials (SBOM) generated per release
Signed commits and verified CI/CD pipelines
Rust core — memory-safe by design, eliminating entire vulnerability classes
Static analysis (Ruff, Clippy) integrated into every build

Availability & Business Continuity

We address the 'bus factor' head-on with automated failsafes and documented recovery procedures.

Enterprise SLA Targets

Signed Enterprise agreements can define uptime targets, support coverage, and status monitoring. Live service status remains public.

View Live Status

Disaster Recovery

Daily automated database backups with 30-day retention. Off-site storage with defined RTO and RPO targets.

Dead Man's Switch

Automated continuity mechanism. If the founder is unreachable for 30 days, emergency access is granted to designated legal counsel and technical trustees.

Source Code Escrow

Full source code and operational documentation held by a trusted third-party escrow service, released under defined trigger conditions.

Verifiable Transparency

Don't take our word for it — verify it yourself.

Real-Time Status

Live uptime monitoring and incident history for all Innora.ai services.

Visit Status Page

Vulnerability Disclosure

We welcome responsible security research. The canonical policy is published at /.well-known/security.txt; report via [email protected] or the scoped contact route with reproduction steps and PoC evidence.

View security.txt

Open Source Contributions

Core security tools are open source on GitHub. Audit the code, file issues, and contribute.

View on GitHub

Privacy & Data Protection

Your data is your data. We handle it with the care it deserves.

What data do you collect?

We collect only the minimum data necessary to provide and improve our services. This includes account information, usage telemetry, and security event logs. We never sell user data.

Where is my data stored?

Primary infrastructure is hosted on AWS US-East (N. Virginia). For enterprise clients with data sovereignty requirements, we offer deployment on AWS Singapore through our SG entity.

Who are your sub-processors?

Our core sub-processors include AWS (infrastructure), Stripe (payments), and select AI model providers. A complete sub-processor list can be shared with enterprise customers as part of a DPA discussion ([email protected]).

How do I request data deletion?

Submit a deletion request to [email protected]. We process all requests within 30 days in compliance with applicable data protection regulations.

Do you use my data for AI training?

No. Customer data is never used for training AI models. Your security data and configurations remain strictly isolated and confidential.

Read Full Privacy Policy

Corporate & Operational Transparency

Built by experts, for experts. We believe radical transparency is the ultimate security posture.

Feng Ning

Founder & Chief Architect

CISSP-certified security professional with 20+ years of industry experience. Every core architecture decision and security audit is personally led by the founder.

As a single-operator company, Innora.ai delivers unmatched response speed — security issues are handled directly by the person who built the system, with zero communication overhead.

CISSP20+ YearsTop HackerRust Expert

Legal Entities

Aurora Infinite LLC
Delaware, United States — Primary operating entity

Innora AI Pte. Ltd.
Singapore — Asia-Pacific operations and data residency

Technology Stack

Core platform built with Rust and eBPF — providing memory safety guarantees that eliminate entire classes of vulnerabilities (buffer overflow, use-after-free, data races) at the language level.

RusteBPFPythonGoTypeScript

Ready to Dive Deeper?

Download our security whitepaper for a comprehensive overview of Innora.ai's security architecture, compliance roadmap, and operational practices.

Request Whitepaper Book Security Consultation

Documentation

Technical architecture and API docs

Contact Security

Structured vulnerability report intake

System Status

Real-time service monitoring