Trust & security

Security at Intended.

Security is not a feature we added -- it is how Intended is built. Every layer of the platform is designed around fail-closed enforcement, cryptographic integrity, and zero-trust principles.

Infrastructure

Built on hardened infrastructure.

AWS with SOC 2 Type II

All infrastructure runs on AWS with SOC 2 Type II certified services. Multi-region deployment available for Enterprise customers.

Encryption everywhere

All data encrypted at rest with AES-256-GCM and in transit with TLS 1.3. No exceptions.

Tenant isolation

Per-tenant isolation ensures your data is never commingled with other customers. Separate encryption keys per security domain.

Authentication

Identity verification you can trust.

Multi-factor authentication

TOTP, email verification, and recovery codes. Brute-force protection with progressive delays.

Enterprise SSO

SAML 2.0 and OIDC integration for Enterprise customers. Session management with automatic expiry and device binding.

Role-based access control

Four permission levels with granular control over who can create policies, approve escalations, and export audit data.

Authorization

Fail-closed by design.

Fail-closed architecture

If anything goes wrong -- network issues, service errors, policy ambiguity -- access is denied. Never fail-open.

Cryptographic signing

Every authority decision is cryptographically signed. Authority Tokens are time-limited with 300-second TTL and single-use nonce protection.

Self-approval prevention

Escalation workflows enforce separation of duties. The person who triggers an action cannot approve it.

MCP tool call authorization

MCP tool calls are evaluated against the same authority engine as direct API calls. Every tool invocation requires a valid authority decision before it reaches the upstream server.

Audit trail

Tamper-evident records for every decision.

Append-only ledger

Every decision is recorded in a tamper-evident, append-only ledger with serialized writes to prevent chain forking.

Cryptographic receipts

Each decision produces a verifiable receipt that can be independently validated without access to the Intended platform.

Evidence export

Exportable evidence bundles for auditors and regulators. Complete chain of custody from intent to execution.

Data protection

Defense in depth for sensitive data.

Key management

Separate encryption keys per security domain. Key derivation using HKDF (NIST SP 800-56C). No hardcoded secrets -- all credentials required at startup.

Password security

Password hashing with scrypt (N=65536, r=8, p=1). Meets or exceeds OWASP recommendations.

Compliance

Mapped to the frameworks you need.

SOC 2 Type I

Pending — auditor engagement in flight, target report H2 2026. System description, control matrix, risk register, and SOP set are drafted and available under NDA. Type II observation begins immediately after Type I issuance.

GDPR & CCPA

Compliant by design — per-tenant data isolation, data-subject access + deletion, exportable evidence. DPA available. Independent counsel review pending; specific attestations are deployment-dependent.

HIPAA

AWS BAA executed; per-tenant data isolation supports HIPAA-compatible deployments. FedRAMP is on the roadmap.

Vulnerability management

Proactive security testing.

Internal security testing

Internal pen-test cycles run on every release with documented remediation. Recent cycle (PT2 series) closed all critical and high-severity findings; reports available under NDA.

Responsible disclosure

Security issues can be reported to security@intended.so. 90-day coordinated disclosure timeline.

Have security questions?

We are happy to discuss our security practices, provide documentation for your procurement process, or answer specific questions about how we protect your data.

security@intended.so