Security & Compliance

Protect your data and meet regulatory requirements with enterprise-grade security features and compliance controls.

Overview

Security is foundational to our platform. We provide comprehensive security controls that protect your data, authenticate users, and ensure compliance with industry regulations.

This section covers:

• Authentication & Authorization - Secure access control and identity management
• SSO Integration - Single sign-on with your identity provider
• Data Privacy - How we protect and handle your sensitive information
• Compliance - Regulatory standards and certifications
• Security Best Practices - Guidance for secure deployment and operation

Core Security Principles

1. Defense in Depth

Multiple layers of security controls protect your data:

• Network security and encryption
• Application-level access controls
• Data encryption at rest and in transit
• Regular security audits and monitoring

2. Least Privilege Access

Users and services operate with minimal necessary permissions:

• Role-based access control (RBAC)
• Fine-grained permissions
• Regular access reviews
• Automatic permission expiration options

3. Data Sovereignty

Control where your data resides:

• Regional data hosting options
• Data residency guarantees
• No cross-border data transfers without consent
• Customer-controlled encryption keys (Enterprise)

4. Transparency

Clear visibility into security practices:

• Open security documentation
• Audit logs for all access
• Incident notification procedures
• Regular security reports

Security Topics

Authentication & Authorization

Control who can access your agents and data with robust authentication and authorization mechanisms.

Key Features:

• Multi-factor authentication (MFA)
• Role-based access control (RBAC)
• API key management
• Session management and timeout
• OAuth 2.0 support

Learn About:

• Setting up MFA for your organization
• Defining roles and permissions
• Managing service accounts
• Integrating with identity providers

---

SSO Integration

Enable Single Sign-On (SSO) to streamline authentication and improve security.

Supported Providers:

• Okta
• Azure AD / Microsoft Entra
• Google Workspace
• OneLogin
• Auth0
• SAML 2.0 (generic)
• OIDC (generic)

Benefits:

• Centralized user management
• Enforced authentication policies
• Reduced password fatigue
• Automatic user provisioning/de-provisioning
• Audit trail integration

---

Data Privacy

Understand how we collect, process, store, and protect your data.

Topics Covered:

• Data collection and usage
• Data retention policies
• Right to access and deletion (GDPR)
• PII detection and handling
• Data encryption standards
• Third-party data sharing (or lack thereof)

Key Commitments:

• Your data is never used to train models for other customers
• No selling or sharing of customer data
• Encryption at rest and in transit
• Secure data deletion procedures

---

Compliance

Meet regulatory requirements with our compliance certifications and controls.

Standards & Certifications:

• SOC 2 Type II
• GDPR (EU General Data Protection Regulation)
• CCPA (California Consumer Privacy Act)
• HIPAA (Healthcare - Enterprise tier)
• ISO 27001 (Enterprise tier)

Compliance Features:

• Data processing agreements (DPA)
• Business associate agreements (BAA) for HIPAA
• Audit logs and reporting
• Data residency controls
• Subprocessor management

---

Security Best Practices

Practical guidance for deploying and operating the platform securely.

Organization-Level:

• Enforce MFA for all users
• Regular access reviews
• Security training for administrators
• Incident response planning

Agent-Level:

• Minimize data exposure in prompts
• Use appropriate access controls
• Implement content filtering
• Monitor for anomalous behavior

Integration-Level:

• Secure API key storage
• Rotate credentials regularly
• Validate webhook signatures
• Use environment-specific keys

---

Security Architecture

Data Flow Security

User Request
    ↓ [TLS 1.3]
Load Balancer
    ↓ [Internal Network]
API Gateway [Auth Check]
    ↓ [Internal Network]
Application Layer [Authorization Check]
    ↓ [Encrypted Connection]
Database [Encrypted at Rest]

Encryption Standards

• In Transit: TLS 1.3 for all connections
• At Rest: AES-256 encryption for stored data
• Keys: HSM-backed key management (Enterprise)
• Backups: Encrypted with separate keys

Network Security

• Private network isolation
• DDoS protection
• Rate limiting and throttling
• IP allowlisting (Enterprise)
• VPN access options (Enterprise)

Access Control Model

User Roles

Pre-defined roles with appropriate permissions:

• Admin: Full organizational control
• Manager: Agent and user management
• Member: Agent usage and creation
• Viewer: Read-only access
• Custom Roles: Define your own (Enterprise)

See User Permissions & Roles for details.

Agent-Level Permissions

Control access at the agent level:

• Private agents (creator only)
• Team agents (specific groups)
• Organization-wide agents
• Public agents (Agent Hub)

See Agent Permissions & Access Control for details.

Data-Level Security

Control data access granularly:

• Source-level permissions
• Document-level access control
• Query-time permission filtering
• Metadata-based access rules

Incident Response

Our Commitment

In the event of a security incident:

• Detection: 24/7 monitoring and alerting
• Response: Immediate investigation and containment
• Communication: Timely notification to affected customers
• Resolution: Root cause analysis and remediation
• Prevention: Implementation of preventive measures

Your Responsibilities

Help maintain security:

• Report suspected security issues immediately
• Monitor audit logs for anomalies
• Keep credentials secure
• Train users on security best practices
• Follow your organization's security policies

Reporting Security Issues

If you discover a security vulnerability:

• Email: security@twig.ai
• Use our responsible disclosure process
• Do not publicly disclose until we've addressed it
• We'll acknowledge within 24 hours

Audit & Monitoring

Audit Logs

Comprehensive logging of security-relevant events:

• User authentication and access
• Permission changes
• Data access and modifications
• Configuration changes
• API usage

Access audit logs via:

• Analytics Dashboard
• Developer API
• SIEM integration (Enterprise)

Monitoring & Alerts

Set up alerts for:

• Failed authentication attempts
• Unusual access patterns
• Permission changes
• Data export activities
• API key usage

Configure in Administration Settings.

Compliance Resources

Documentation

• Security whitepaper
• Compliance certifications
• Data processing agreement (DPA)
• Business associate agreement (BAA)
• Subprocessor list

Assessments

Request for Enterprise customers:

• Security questionnaire responses
• SOC 2 reports
• Penetration test results
• Compliance audit reports

Professional Services

Enterprise support includes:

• Security architecture review
• Compliance implementation guidance
• Custom security controls
• Dedicated security contact

Industry-Specific Security

Healthcare (HIPAA)

• Business associate agreements
• PHI handling and encryption
• Access controls and audit logs
• Breach notification procedures

See Compliance for HIPAA-specific guidance.

Financial Services

• SOC 2 Type II compliance
• Data residency controls
• Enhanced audit logging
• Penetration testing

Government

• FedRAMP considerations (Enterprise)
• Data sovereignty requirements
• Enhanced security controls

Security FAQ

Q: Is my data used to train AI models? A: No. Your data is never used to train models for other customers or purposes.

Q: Where is my data stored? A: Data is stored in secure cloud facilities. Enterprise customers can choose specific regions.

Q: Can I export my data? A: Yes. You can export all your data at any time. See Data Privacy.

Q: Do you support private cloud or on-premises deployment? A: Yes, for Enterprise customers. Contact sales for details.

Q: How do you handle data breaches? A: We follow industry-standard incident response procedures and notify affected customers promptly.

Next Steps

For New Customers

1. Review Authentication & Authorization
2. Set up SSO Integration if needed
3. Read Data Privacy to understand data handling
4. Implement Security Best Practices

For Compliance Teams

1. Review Compliance certifications
2. Request security documentation
3. Schedule compliance review call
4. Execute data processing agreement

For Administrators

1. Configure User Permissions
2. Set up Agent Access Control
3. Enable audit logging
4. Set up security alerts

For Developers

1. Secure API key management (Authentication Guide)
2. Implement webhook signature verification
3. Follow secure coding practices
4. Review API security best practices

Support & Contact

• Security Questions: security@twig.ai
• Compliance Inquiries: compliance@twig.ai
• General Support: support@twig.ai
• Security Vulnerability Reports: security@twig.ai (responsible disclosure)

For urgent security matters, contact your customer success manager or enterprise support directly.

---

Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the ask query parameter:

GET /dev/product/security.md?ask=<question>

The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.