RoboExpress runs against the following 18 controls. Each control is operating today on every customer deployment. Not aspirational, not roadmapped, not configurable down.
01
Per-user authentication
Every user has a unique account. No shared logins, no service accounts used as user accounts. SSO via SAML 2.0 or OIDC for enterprise customers.
02
Mandatory two-factor authentication
2FA via TOTP authenticator apps. Required at first login and on every login from a new device. Cannot be disabled by user or by tenant administrator.
03
Role-based access control
Configurable role definitions per tenant. Standard roles: viewer, processor, approver, administrator. Each role maps to specific document types, workflows, and posting permissions.
04
Session management
Configurable session timeout per tenant (default 30 minutes idle). Sessions invalidated on password change or admin revocation. No persistent tokens that survive a password reset.
05
Encryption in transit
TLS 1.3 for all client connections. No HTTP fallback. HSTS enforced. Inter-service communication within RoboExpress also TLS-encrypted.
06
Encryption at rest
All customer documents encrypted at rest using AES-256. Per-tenant encryption keys with rotation policies. Database-level encryption layered on top.
07
Tenant data isolation
Each customer's documents and extracted data live in a logically isolated tenant scope. No customer ever sees another customer's data, models, or query history.
08
Customer data deletion
Customer data deleted within 30 days of subscription end. Deletion is a hard delete, not a soft delete. Compliance with applicable data residency requirements.
09
Production access control
Only authorised engineers have production access. Access requires MFA-backed VPN plus jump-host plus audited terminal session. All production actions logged.
10
Network security group enforcement
Production environment isolated behind network security groups. Only required ports open. No direct internet exposure of databases or internal services.
11
Production database password discipline
Production database credentials are minimum 25 characters, generated by password manager, rotated quarterly. Never stored in code, never logged.
12
Build & deployment integrity
Every production build has a unique numbered identifier. QA must clear every release before production. Rollback procedures tested monthly.
13
Customer document isolation in models
Customer documents are never used to train shared models. Tenant-specific learning happens in tenant-scoped fine-tuning artifacts that are not shared with other customers.
14
Prompt injection defence
Documents are processed in sandboxed extraction pipelines that strip executable instructions. Customer documents cannot influence platform behaviour for other customers.
15
Query response grounding
Query Response answers are grounded in cited documents. The system says "I don't know" when documents do not contain the answer rather than confabulating — verified against test sets quarterly.
16
Comprehensive audit trail
Every user action, every document upload, every match decision, every GL posting is logged with timestamp, user, IP, and result. Audit logs are immutable and exportable in standard formats for ingestion into customer SIEM.
17
Quarterly penetration testing
Internal penetration testing every quarter. External penetration testing annually. Findings remediated with proper followup. Reports available under NDA for customer security reviews.
18
Backup & disaster recovery
Customer data backed up minimum three times daily to separate, secured location. Disaster recovery procedures tested quarterly with documented RTO and RPO commitments per customer tier.