Trust & security

Security at Intended.

Security is not a feature we added -- it is how Intended is built. Every layer of the platform is designed around fail-closed enforcement, cryptographic integrity, and zero-trust principles.

Infrastructure

Built on hardened infrastructure.

AWS with SOC 2 Type II

All infrastructure runs on AWS with SOC 2 Type II certified services. Multi-region deployment available for Enterprise customers.

Encryption everywhere

All data encrypted at rest with AES-256-GCM and in transit with TLS 1.3. No exceptions.

Tenant isolation

Per-tenant isolation ensures your data is never commingled with other customers. Separate encryption keys per security domain.

Authentication

Identity verification you can trust.

Multi-factor authentication

TOTP, email verification, and recovery codes. Brute-force protection with progressive delays.

Enterprise SSO

SAML 2.0 and OIDC integration for Enterprise customers. Session management with automatic expiry and device binding.

Role-based access control

Four permission levels with granular control over who can create policies, approve escalations, and export audit data.

Authorization

Fail-closed by design.

Fail-closed architecture

If anything goes wrong -- network issues, service errors, policy ambiguity -- access is denied. Never fail-open.

Cryptographic signing

Every authority decision is cryptographically signed. Authority Tokens are time-limited with 300-second TTL and single-use nonce protection.

Self-approval prevention

Escalation workflows enforce separation of duties. The person who triggers an action cannot approve it.

MCP tool call authorization

MCP tool calls are evaluated against the same authority engine as direct API calls. Every tool invocation requires a valid authority decision before it reaches the upstream server.

Audit trail

Tamper-evident records for every decision.

Append-only ledger

Every decision is recorded in a tamper-evident, append-only ledger with serialized writes to prevent chain forking.

Cryptographic receipts

Each decision produces a verifiable receipt that can be independently validated without access to the Intended platform.

Evidence export

Exportable evidence bundles for auditors and regulators. Complete chain of custody from intent to execution.

Data protection

Defense in depth for sensitive data.

Key management

Separate encryption keys per security domain. Key derivation using HKDF (NIST SP 800-56C). No hardcoded secrets -- all credentials required at startup.

Password security

Password hashing with scrypt (N=65536, r=8, p=1). Meets or exceeds OWASP recommendations.

Compliance

Mapped to the frameworks you need.

SOC 2 Type II

In progress. Report available under NDA for Enterprise customers. Penetration test summary available on request.

GDPR & CCPA

Fully compliant with GDPR and CCPA/CPRA. Data Processing Agreement available.

HIPAA & FedRAMP

HIPAA compatible with BAA available for Enterprise. FedRAMP path available for government customers.

Vulnerability management

Proactive security testing.

Penetration testing

Annual third-party penetration testing with results reviewed and remediated within 30 days.

Responsible disclosure

Security issues can be reported to security@intended.so. 90-day coordinated disclosure timeline. Bug bounty program coming soon.

Have security questions?

We are happy to discuss our security practices, provide documentation for your procurement process, or answer specific questions about how we protect your data.

security@intended.so