Skip to main content
Truefoundry is built with security and compliance as foundational principles. Our platform provides enterprise-grade security features, comprehensive compliance certifications, and robust data protection to ensure your AI workloads and data remain secure. For detailed security information, compliance reports, and trust documentation, visit trust.truefoundry.com.

Compliance Certifications

Truefoundry maintains multiple compliance certifications to meet enterprise security and regulatory requirements:
  • SOC 2 Type II: Certified for security, availability, processing integrity, confidentiality, and privacy
  • GDPR: Compliant with the General Data Protection Regulation for data privacy
  • HIPAA: Compliant with Health Insurance Portability and Accountability Act for healthcare data

SOC 2 Type II Logo

GDPR Logo

HIPAA Logo

Our Compliance Certifications

Compliance certifications apply to Truefoundry’s managed infrastructure. For self-hosted deployments, compliance depends on your infrastructure and security controls.

Data Security

  • Self-Hosted Deployment
  • Managed Deployment

Data Residency and Sovereignty

Truefoundry’s architecture ensures that your data remains under your control:
  • Data Stays in Your Environment: When deployed on your infrastructure, all data, models, and artifacts remain within your cloud account or on-premises environment
  • No Data Egress: Deploying on your own infrastructure eliminates data egress costs and ensures data never leaves your environment

Encryption

  • Encryption at Rest: Encrypted at rest using AES-256 encryption
  • Encryption in Transit: All network communications use TLS 1.2 or higher to encrypt data in transit
  • Secret Management: Integration with cloud-native secret managers (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) for secure credential storage

Access Control and Authentication

Authentication Methods

Truefoundry supports multiple authentication mechanisms:
  • Single Sign-On (SSO): Integrate with your identity provider (IdP) including SAML 2.0 and OIDC-compatible providers
  • OIDC Authentication: Support for OpenID Connect with multiple providers (Keycloak, Google, Microsoft Entra ID, etc.)
  • JWT Token Authentication: API access using JWT tokens from your identity provider
  • API Keys: Secure API key-based authentication for programmatic access

Authorization and Access Control

Comprehensive role-based access control (RBAC) ensures users have appropriate permissions:
  • Tenant-Level Permissions: Control access at the organization level with Tenant Admin and Tenant Member roles
  • Resource-Level Permissions: Granular permissions for workspaces, clusters, ML repositories, secret groups, and provider accounts
  • Team-Based Access: Organize users into teams with shared permissions and access controls
  • Fine-Grained Permissions: Viewer, Editor, and Admin roles for different resources
For detailed information on access control, see Access Control.

Infrastructure Security

Architecture Security

Truefoundry’s split-plane architecture provides security through separation:
  • Control Plane: Orchestration layer that manages configuration and interacts with compute and data planes
  • Compute Plane: Runs on your Kubernetes cluster, ensuring workloads execute in your controlled environment
  • Gateway Plane: Secure proxy layer with enterprise-grade security and observability
  • Data Plane: Your own blob storage or Truefoundry-managed storage with encryption

Network Security

  • Private Network Deployment: Deploy control plane within your VPC for complete network isolation
  • TLS/SSL Encryption: All API communications encrypted with TLS 1.2+
  • Firewall Integration: Compatible with your existing firewall and network security policies
  • VPC Isolation: Support for deployment within private VPCs and on-premises networks

Container Security

  • Image Scanning: Integration with container registries and security scanning tools
  • Least Privilege: Containers run with minimal required permissions
  • Security Contexts: Kubernetes security contexts for pod-level security controls
  • Secret Injection: Secure environment variable and secret management without exposing credentials

Audit and Monitoring

Audit Logging

Comprehensive audit logging tracks all platform activities:
  • Complete Activity History: All user actions, resource changes, and API calls are logged
  • Detailed Audit Trails: Track who performed what action, when, and on which resource
  • Export Capabilities: Export audit logs to your logging platform (Splunk, Datadog, etc.)
  • API Access: Programmatic access to audit logs via Truefoundry API
Audit logs are only visible to Tenant Admins. For more information, see Audit Logging.

Security Monitoring

  • Real-Time Monitoring: Continuous monitoring of platform activities and security events
  • Anomaly Detection: Automated detection of unusual access patterns or activities
  • Alerting: Integration with monitoring and alerting systems
  • Observability: Comprehensive metrics, logs, and traces for security analysis

AI Gateway Security

Gateway Security Features

Truefoundry’s AI Gateway provides enterprise-grade security for LLM access:
  • Authentication: Multiple authentication methods including OIDC, JWT, and API keys
  • Authorization: Role-based access control for models and endpoints
  • Guardrails Integration: Support for content safety, PII detection, and prompt injection prevention
  • Request/Response Logging: Secure logging of API requests and responses for compliance and debugging

Content Safety

Integration with enterprise guardrail providers:
  • Content Filtering: Azure AI Content Safety, OpenAI Moderation, and custom guardrails
  • PII Detection and Redaction: Automatic detection and redaction of personally identifiable information
  • Prompt Injection Prevention: Protection against prompt injection attacks
  • Toxicity Detection: Real-time detection of harmful or inappropriate content
For more information on guardrails, see AI Gateway Guardrails.

Incident Response and Business Continuity

High Availability

  • Globally Distributed: Gateway deployed across 12+ regions and multiple cloud providers
  • Automated Failover: Automatic routing to healthy regions in case of regional downtime
  • Multi-Cloud Deployment: Resilience against cloud provider-specific disruptions
  • Redundancy: High availability configurations for critical components

Backup and Recovery

  • Configuration Backups: Regular backups of platform configuration and metadata
  • Disaster Recovery: Comprehensive disaster recovery procedures
  • Data Backup: Integration with your backup solutions for data plane storage
  • Recovery Procedures: Documented procedures for rapid recovery from incidents

Security Best Practices

Recommendations for Customers

  1. Enable SSO: Use single sign-on with your identity provider for centralized authentication
  2. Implement Least Privilege: Grant users only the minimum permissions required for their role
  3. Regular Access Reviews: Periodically review and audit user access and permissions
  4. Enable Audit Logging: Monitor audit logs regularly for suspicious activities
  5. Use Secret Management: Store sensitive credentials in secret managers, not in code
  6. Network Segmentation: Deploy Truefoundry in isolated network segments when possible
  7. Regular Updates: Keep Truefoundry components updated to the latest versions
  8. Enable Guardrails: Use content safety guardrails for AI Gateway deployments

Security Reporting

Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly:
  • Security Contact: Report vulnerabilities to security@truefoundry.com
  • Responsible Disclosure: We follow responsible disclosure practices
  • Response Time: We aim to respond to security reports within 48 hours

Security Updates

  • Security Advisories: Published on trust.truefoundry.com
  • Release Notes: Security updates included in platform release notes
  • Notifications: Security-critical updates communicated to customers

Data Privacy

Privacy Controls

  • Data Minimization: Only collect and process data necessary for platform operation
  • User Data Control: Users can manage their own data and access permissions
  • Data Retention: Configurable data retention policies
  • Right to Deletion: Support for data deletion requests in compliance with privacy regulations

GDPR Compliance

Truefoundry is GDPR compliant and provides:
  • Data Subject Rights: Support for data access, rectification, and deletion requests
  • Privacy by Design: Privacy considerations built into platform architecture
  • Data Processing Agreements: Standard data processing agreements available
  • Privacy Policy: Comprehensive privacy policy available on our website

Third-Party Security

Vendor Security

  • Security Assessments: Regular security assessments of third-party vendors and integrations
  • Secure Integrations: All integrations use secure authentication and encryption
  • Vendor Monitoring: Continuous monitoring of vendor security practices

Integration Security

  • OAuth 2.0: Secure OAuth-based integrations with cloud providers
  • API Security: All API integrations use secure authentication methods
  • Credential Management: Secure storage and rotation of third-party credentials

Additional Resources

Security is a shared responsibility. While Truefoundry provides secure infrastructure and platform features, customers are responsible for securing their applications, data, and access controls within their environment.