Security & Compliance

Scrutari’s Trust Center details the architectural decisions, compliance frameworks, and operational controls that protect our customers’ most sensitive data. Our security posture is not bolted on — it is compiled in.

Rust-Native ArchitectureAES-256 EncryptionZero Trust ModelImmutable Audit Trails

Last Updated: March 29, 2026|SCRUTARI AI LLC — Nashville, TN

The “Rust = Trust” Architecture

The foundation of Scrutari’s security posture is our decision to build the entire system — edge inference engine, cloud services, API layer, and even this website — in Rust.

COMPILE-TIME SECURITY GUARANTEES

Buffer Overflows

Use-After-Free

Data Race Conditions

These are not aspirational targets — they are properties of the Rust programming language enforced at compile time. According to industry research, approximately 70% of security vulnerabilities in large C/C++ codebases are memory safety issues. By building in Rust, we eliminate these entire vulnerability classes before a single line of code reaches production.

This is the same memory-safe standard being adopted by the aerospace industry, the Linux kernel, and the United States Department of Defense for safety-critical systems.

API Security — Principle of Minimal Exposure

Every API endpoint in the Scrutari ecosystem — whether REST, FHIR, or internal service mesh — is designed according to the Principle of Minimal Exposure. Endpoints are strictly typed to return only the exact fields necessary for the consuming operation, preventing accidental data leakage.

AUTHENTICATIONToken-based authentication with short-lived JWT access tokens and rotating refresh tokens. API keys are scoped to specific operations and cannot be escalated.

AUTHORIZATIONFine-grained, role-based access control (RBAC) at the endpoint level. Service-to-service communication uses mutual TLS (mTLS) certificate pinning.

INPUT VALIDATIONAll inputs are validated through Rust’s type system at compile time. Deserialization of untrusted data uses strict schemas that reject unexpected fields.

RATE LIMITINGIP-based and token-based rate limiting with sliding window algorithms. Honeypot fields and behavioral analysis for bot detection on public-facing forms.

TRANSPORTTLS 1.3 enforced on all connections. HTTP Strict Transport Security (HSTS) with preloading. No plaintext fallback.

AI Governance & Agent Provenance

Every decision made by a Scrutari AI system is recorded in an immutable, cryptographically signed audit trail. We call this Agent Provenance — the ability to trace any AI output back through the complete chain of inference, data, and model that produced it.

Immutable Logs

Every anomaly detection, every claims analysis, every alert generated by our systems is recorded with a cryptographic hash, timestamp, model version, confidence score, and input metadata. Logs cannot be altered or deleted.

Explainability

For regulated industries, every AI decision is accompanied by human-readable explanations. Auditors and regulators can inspect the reasoning chain, input data, and decision boundary that produced any given output.

Model Versioning

All deployed models are versioned, signed, and tracked. Over-the-air model updates include automatic rollback capability. We maintain a full history of every model version that has ever been deployed to any site.

Tamper Evidence

Edge devices maintain local append-only logs with cryptographic chaining. Any attempt to tamper with the audit trail is immediately detectable during synchronization with central systems.

Compliance Frameworks

Scrutari AI aligns with and is actively pursuing certification under the following industry-standard compliance frameworks:

HIPAA

Compliant

Full compliance with HIPAA Administrative Simplification provisions for all healthcare data processing. Business Associate Agreements executed with all covered entities.

SOC 2 Type II

In Progress

Actively pursuing SOC 2 Type II certification covering Security, Availability, and Confidentiality trust service criteria. Architecture designed to SOC 2 requirements from inception.

ISO/IEC 27001:2022

Aligned

Information security management system aligned with ISO 27001:2022, including the updated requirements for cloud-native infrastructure and AI integration controls.

FCPA

Compliant

Strict compliance with the U.S. Foreign Corrupt Practices Act across all international operations, with zero-tolerance anti-corruption policies governing all supplier and partner relationships.

For questions about our compliance posture or to request documentation for procurement review, contact our security team at security@scrutari.ai.

Zero Trust & Encryption

Scrutari adopts a Zero Trust security model: no device, user, or service is inherently trusted, regardless of network location. Every request is authenticated, authorized, and encrypted.

DATA AT RESTAES-256 encryption for all stored data, including local edge databases, cloud databases, and backup archives. Encryption keys are managed through hardware security modules (HSMs) with automatic rotation.

DATA IN TRANSITTLS 1.3 enforced on all connections. Edge-to-cloud synchronization uses mutual TLS with certificate pinning. No data is ever transmitted in plaintext.

EDGE DEVICESLocal databases on edge hardware are encrypted at rest. Device authentication uses hardware-bound certificates that cannot be cloned or extracted.

NETWORK ISOLATIONProduction systems operate in isolated network segments. Service-to-service communication requires mutual authentication. No implicit trust based on network membership.

SECRET MANAGEMENTNo credentials stored in code, configuration files, or environment variables in production. All secrets managed through dedicated secret management infrastructure with audit logging.

Security Inquiry or Vulnerability Report

For security inquiries, procurement questionnaires, or to report a potential vulnerability, contact our security team directly.

security@scrutari.ai Partnership Inquiry

SCRUTARI AI LLC • Nashville, Tennessee • United States