Security & Compliance

Cloakr.ai provides enterprise-grade security and compliance features to protect your data and meet regulatory requirements.

Encryption

End-to-End Encryption

Cloakr.ai uses AES-256-GCM encryption for all data in transit and at rest:

// Client-side encryption
const encryptedData = client.encrypt("sensitive data");
const response = await client.chat({
  model: 'gpt-4o',
  prompt: encryptedData
});

Key Management

AWS KMS Integration

import { CloakrClient, KMSConfig } from '@cloakrai/sdk';

const kmsConfig = new KMSConfig({
  region: 'us-east-1',
  keyId: 'arn:aws:kms:us-east-1:123456789012:key/abcd1234-ef56-7890-abcd-ef1234567890',
  alias: 'cloakr-encryption-key'
});

const client = new CloakrClient({
  apiKey: process.env.CLOAKR_API_KEY,
  encryption: kmsConfig
});

Customer-Managed Keys (BYOK)

const client = new CloakrClient({
  apiKey: process.env.CLOAKR_API_KEY,
  encryption: {
    keyId: process.env.CLOAKR_KEY_ID,
    keyMaterial: process.env.CLOAKR_ENCRYPTION_KEY,
    rotation: true
  }
});

Key Lifecycle

Key Generation: Cryptographically secure random generation
Key Storage: Hardware Security Modules (HSMs) for key storage
Key Rotation: Automatic rotation every 90 days
Key Destruction: Secure deletion when no longer needed

PII Protection

Automatic Detection

Cloakr.ai automatically detects and redacts sensitive information:

Personal Identifiers: Names, SSNs, driver's licenses
Contact Information: Email addresses, phone numbers
Financial Data: Credit card numbers, bank accounts
Medical Information: Health records, insurance numbers
Custom Patterns: Company-specific identifiers

Hybrid Detection Engine

// NER-based detection
const nerDetector = new NERDetector({
  models: ['en_core_web_sm', 'en_core_web_lg'],
  confidence: 0.8
});

// Regex-based detection
const regexDetector = new RegexDetector({
  patterns: [
    /SSN:\s*\d{3}-\d{2}-\d{4}/g,
    /Credit Card:\s*\d{4}-\d{4}-\d{4}-\d{4}/g
  ]
});

// Combined detection
const piiEngine = new PIIEngine({
  detectors: [nerDetector, regexDetector],
  redactionMode: 'replace'
});

Custom Redaction Rules

const customRules = [
  {
    type: 'custom_pattern',
    pattern: /CUSTOMER-\d{6}/g,
    replacement: '[REDACTED_CUSTOMER_ID]'
  },
  {
    type: 'email',
    domains: ['internal.com', 'test.com'],
    replacement: '[REDACTED_EMAIL]'
  },
  {
    type: 'phone',
    countryCode: 'US',
    replacement: '[REDACTED_PHONE]'
  }
];

client.setPIIRedactor(new PIIRedactor({ rules: customRules }));

Data Residency

Regional Deployment

Cloakr.ai supports multiple regions for data residency compliance:

Region	Location	Compliance	Use Case
US East	N. Virginia	SOC 2, HIPAA	Default region
US West	Oregon	SOC 2, HIPAA	West Coast optimization
EU	Frankfurt	GDPR, SOC 2	European data residency
Asia Pacific	Singapore	SOC 2	APAC optimization
India	Mumbai	Local regulations	Indian data residency

Region Selection

const client = new CloakrClient({
  apiKey: process.env.CLOAKR_API_KEY,
  region: 'eu-central-1' // Frankfurt
});

Data Sovereignty

Data Storage: All data stored within selected region
Processing: All processing occurs within selected region
Backup: Backups stored in same region
Deletion: Complete data deletion on request

Audit Logging

Comprehensive Logging

Cloakr.ai maintains detailed audit logs for compliance:

{
  "audit_id": "audit_abc123def456",
  "timestamp": "2024-01-15T10:30:00Z",
  "user_id": "user_123",
  "session_id": "session_456",
  "action": "chat_request",
  "model": "gpt-4o",
  "token_count": 150,
  "processing_time_ms": 1250,
  "encryption_status": "encrypted",
  "pii_redaction": {
    "detected": ["email", "phone_number"],
    "redacted_count": 2
  },
  "compliance_flags": ["gdpr", "hipaa"],
  "hash": "sha256:abc123def456..."
}

Log Categories

Authentication Logs

API key usage
User login/logout
Permission changes
Failed authentication attempts

Data Access Logs

Request details (without sensitive data)
Response metadata
Processing times
Error conditions

Compliance Logs

PII detection events
Data retention events
Export/import activities
Policy violations

Export Capabilities

// Export audit logs
const logs = await client.exportAuditLogs({
  startDate: '2024-01-01',
  endDate: '2024-01-31',
  format: 'csv',
  includeDetails: true
});

// Download logs
const downloadUrl = await client.downloadAuditLogs(logs.id);

Compliance Standards

SOC 2 Type II

Cloakr.ai maintains SOC 2 Type II compliance with annual audits:

Security: Protection against unauthorized access
Availability: System availability and performance
Processing Integrity: Accurate and complete processing
Confidentiality: Protection of confidential information
Privacy: Protection of personal information

Data Subject Rights

// Right to be forgotten
await client.deleteUserData({
  userId: 'user_123',
  dataTypes: ['chat_history', 'personal_info']
});

// Data portability
const userData = await client.exportUserData({
  userId: 'user_123',
  format: 'json'
});

// Consent management
await client.updateConsent({
  userId: 'user_123',
  consentType: 'data_processing',
  granted: true,
  timestamp: new Date()
});

Data Processing Principles

Lawful Basis: Clear legal basis for processing
Purpose Limitation: Processing for specified purposes only
Data Minimization: Minimal data collection
Accuracy: Accurate and up-to-date data
Storage Limitation: Limited retention periods
Integrity and Confidentiality: Secure processing

HIPAA Compliance

For healthcare applications, Cloakr.ai provides HIPAA-compliant features:

const hipaaClient = new CloakrClient({
  apiKey: process.env.CLOAKR_API_KEY,
  compliance: {
    hipaa: true,
    phiDetection: true,
    auditTrail: true
  }
});

PHI Protection

Automatic Detection: Identifies Protected Health Information
Enhanced Encryption: Additional encryption for PHI
Access Controls: Role-based access to PHI
Audit Requirements: Comprehensive PHI audit trail

PCI DSS Compliance

For payment processing applications:

const pciClient = new CloakrClient({
  apiKey: process.env.CLOAKR_API_KEY,
  compliance: {
    pci: true,
    cardDataDetection: true,
    tokenization: true
  }
});

Security Features

Network Security

TLS 1.3: Latest encryption protocols
Perfect Forward Secrecy: Unique session keys
DDoS Protection: Multi-layer protection
WAF: Web Application Firewall
Rate Limiting: Prevents abuse

Infrastructure Security

VPC: Isolated network environments
Security Groups: Network access controls
IAM: Role-based access control
Secrets Management: Secure credential storage
Monitoring: Real-time security monitoring

Application Security

Input Validation: Comprehensive input sanitization
SQL Injection Protection: Parameterized queries
XSS Protection: Content Security Policy
CSRF Protection: Cross-site request forgery prevention
Secure Headers: Security-focused HTTP headers

Incident Response

Security Incident Process

Detection: Automated and manual monitoring
Assessment: Impact and scope evaluation
Containment: Immediate threat mitigation
Eradication: Root cause removal
Recovery: Service restoration
Lessons Learned: Process improvement

Breach Notification

// Automatic breach detection
client.on('security_incident', async (incident) => {
  console.log('Security incident detected:', incident);
  
  // Notify compliance team
  await notifyComplianceTeam(incident);
  
  // Update audit logs
  await logSecurityIncident(incident);
  
  // Customer notification if required
  if (incident.requiresNotification) {
    await notifyCustomers(incident);
  }
});

Compliance Reporting

Automated Reports

// Generate compliance reports
const report = await client.generateComplianceReport({
  period: 'monthly',
  standards: ['soc2', 'gdpr', 'hipaa'],
  format: 'pdf'
});

// Schedule regular reports
await client.scheduleComplianceReport({
  frequency: 'monthly',
  recipients: ['compliance@company.com'],
  standards: ['soc2', 'gdpr']
});

Report Types

SOC 2 Reports: Annual Type II reports
GDPR Reports: Data processing activities
HIPAA Reports: PHI access and usage
Custom Reports: Company-specific requirements

Security Best Practices

API Key Management

// Rotate API keys regularly
const newKey = await client.rotateApiKey({
  currentKey: process.env.CLOAKR_API_KEY,
  expirationDays: 90
});

// Use least privilege principle
const restrictedKey = await client.createApiKey({
  permissions: ['chat:read', 'models:read'],
  expiresAt: '2024-12-31'
});

Data Classification

// Classify data sensitivity
const classification = await client.classifyData({
  content: "Patient medical record for John Doe",
  classification: "PHI"
});

// Apply appropriate controls
const secureClient = new CloakrClient({
  apiKey: process.env.CLOAKR_API_KEY,
  dataClassification: classification.level,
  controls: classification.requiredControls
});

Monitoring and Alerting

// Set up security monitoring
client.on('suspicious_activity', async (activity) => {
  console.log('Suspicious activity detected:', activity);
  
  // Send alert
  await sendSecurityAlert(activity);
  
  // Block if necessary
  if (activity.severity === 'high') {
    await client.blockUser(activity.userId);
  }
});

Next Steps

Guides & Best Practices - Implementation guidance
API Reference - Complete API documentation
SDK Tutorials - Integration examples

Encryption​

End-to-End Encryption​

Key Management​

AWS KMS Integration​

Customer-Managed Keys (BYOK)​

Key Lifecycle​

PII Protection​

Automatic Detection​

Hybrid Detection Engine​

Custom Redaction Rules​

Data Residency​

Regional Deployment​

Region Selection​

Data Sovereignty​

Audit Logging​

Comprehensive Logging​

Log Categories​

Authentication Logs​

Data Access Logs​

Compliance Logs​

Export Capabilities​

Compliance Standards​

SOC 2 Type II​

GDPR Compliance​

Data Subject Rights​

Data Processing Principles​

HIPAA Compliance​

PHI Protection​

PCI DSS Compliance​

Security Features​

Network Security​

Infrastructure Security​

Application Security​

Incident Response​

Security Incident Process​

Breach Notification​

Compliance Reporting​

Automated Reports​

Report Types​

Security Best Practices​

API Key Management​

Data Classification​

Monitoring and Alerting​

Next Steps​