Your Data is a First-Class Asset. We Treat It That Way.
BazzAI is built with enterprise-grade security controls at every layer — from data ingestion to LLM inference.
Security Controls
Data Encrypted at Rest & In Transit
All data is encrypted using AES-256 at rest and TLS 1.3 in transit. No unencrypted channels are permitted at any layer of the stack.
GDPR & Kenya DPA Compliant
We maintain full compliance with the EU GDPR and Kenya's Data Protection Act (2019). Data subject rights are honoured within 72 hours.
Zero-Retention LLM Policy
Prompts and completions sent to third-party LLMs (OpenAI, Anthropic) are processed under zero-retention agreements — your data never trains public models.
Private Deployment Available
For highly regulated sectors (healthcare, legal, finance), we offer self-hosted LLM deployment on your own VPC using open-source models (Llama 3, Mistral).
SOC 2 Ready Architecture
All platform controls are designed to meet SOC 2 Type II criteria: Security, Availability, Confidentiality, and Processing Integrity. Full audit trail via structured logs.
Multi-Tenant Isolation
Each client environment is strictly isolated at the database and vector store level. No cross-tenant data access is architecturally possible.
Data Flow Architecture
Your Data Sources
APIs, DBs, Files
Encrypted Ingestion
TLS 1.3 in transit
Isolated Pipeline
Per-client environment
Zero-Retention LLM
No training on your data
Your Outputs
Alerts, Reports, Actions
All data is processed in your designated region. AES-256 encryption at rest.
Security Questions, Answered
Does BazzAI access our internal documents or databases?
Only the data you explicitly connect to the pipeline — typically via read-only API credentials or secure SFTP. We never require write access unless the workflow demands it, and even then, scoped to specific collections.
Where is our data stored geographically?
By default, compute runs in your preferred region (EU, US, or Africa/Nairobi). We can enforce data residency requirements and provide a written Data Processing Agreement (DPA) for regulated workloads.
What happens to our data if we terminate?
Upon termination, all client data is purged from our systems within 30 days. You receive a signed data deletion confirmation and full export of your workflow configurations.
Can we conduct a security audit before signing?
Yes. Enterprise clients may request a security questionnaire, architecture review, and penetration test evidence as part of the sales process at no additional cost.
Request a Security Questionnaire
Enterprise clients can request our full security package — architecture diagrams, DPA template, and penetration test evidence.