Security
Your data is secure, private, and stays yours.
Amass handles research data for pharma companies, VC investors, and clinical teams operating in regulated environments. Security isn't a feature — it's the foundation.
Infrastructure
Built on enterprise cloud infrastructure, hosted in the EU
Every component of the Amass stack runs on enterprise cloud infrastructure deployed in EU regions. Your data never leaves the EU unless you explicitly request it.
Managed Kubernetes
Container orchestration with enterprise-grade SLAs, private networking, and automatic failover.
Enterprise model providers
Third-party model providers we use are contractually prevented from retaining or training on your data. Enterprise data processing terms apply by default.
Hardware-backed secrets + managed PostgreSQL
Hardware-backed secrets management and a managed relational database with encryption at rest and in transit throughout.
Single-tenant and bring-your-own-cloud deployments available for stricter isolation requirements.
Data Privacy
Your queries never touch a training pipeline.
Customer data — including queries, documents, results and outputs — is never used to train, fine-tune, or improve AI models. This applies to Amass models and to any third-party model providers we use. It is a contractual commitment, not a setting.
Amass keeps retrieval and generation separate. Private data is retrieved from the customer's authorised index, then used only within the isolated context of the specific request. It is not used for public web search, cross-customer learning, or model training.
This allows Amass to use the best available enterprise model infrastructure while keeping customer data protected under the same security and data-use commitments.
- Tenant isolation — your data index is never co-mingled with other customers
- No public indexing — your documents are never surfaced to other users or search engines
- Right to deletion — request log deletion at any time
- Usage logs only for operational monitoring — not analytics, not training
Access Control
Enterprise-grade identity and permissions
Amass integrates with your existing identity provider and enforces role-based access at the dataset and tenant level.
SSO
SAML, OIDC, SCIM via Microsoft Entra ID or your IdP
RBAC
Role-based access control per dataset and workspace
MFA
Multi-factor authentication required on every account
Just-in-time provisioning
Users are provisioned and deprovisioned automatically
Audit logging
Full audit trail of queries, exports, and admin actions
Per-tenant isolation
No cross-tenant data access, ever
Certifications & Compliance
Operating to certification standards. Certifications in progress.
Several pharma companies and VC firms have approved Amass based on our actual controls, architecture, and policies — not waiting for the certificate. Here's where we stand.
ISO 27001
~6 monthsControls fully mapped. Formal certification in progress (est. ~6 months). Right-to-audit provisions available now.
SOC 2 Type II
~12 monthsControls fully mapped. Formal certification in progress (est. ~12 months). Security questionnaires answered under NDA.
NIS2-aligned
ActiveGovernance and incident response aligned to NIS2 requirements. EU-hosted infrastructure supports national regulatory requirements.
Have an infosec team that needs more detail? We share architecture documentation, security questionnaires, and right-to-audit provisions under NDA.
Request security documentationInfrastructure Partners
Enterprise partnerships, not consumer agreements
All third-party infrastructure operates under enterprise terms with contractual data processing agreements.
Have questions about security?
Our team has answered infosec questionnaires for pharma procurement teams and institutional investors. We're happy to go deeper.