Trust & Security

01

Data Residency

All Olbrain customer data is stored, processed, and accessed within India. No egress, no offshore replication.

• In ProgressGoogle Cloud Mumbai — primary region asia-south1; all customer data resident in India.
• In ProgressSub-processor inventory with India-residency commitments documented.
• In ProgressDPDP Act 2023 alignment in data handling, consent, and data principal rights.
• In ProgressFormal data residency attestation document available to customers on request.

02

Architecture & Tenant Isolation

Customer data is logically segregated; no cross-tenant exposure in storage, prompt context, or audit surfaces.

• In ProgressPer-tenant data isolation — logical separation enforced at storage, application, and AI inference layers.
• In ProgressCross-tenant data exposure controls validated through architectural review.
• In ProgressCustomer-managed encryption keys (CMEK / KMS) for regulated workloads.
• In ProgressCryptographic decision traceability via the CNE Protocol — every agent action linked to its identity, rationale, and decision chain.

03

Access Control

Least-privilege access by default. Privileged operations require strong authentication and are reviewed quarterly.

• In ProgressRole-Based Access Control (RBAC) for all admin and operator surfaces.
• In ProgressMulti-Factor Authentication (MFA) required for all privileged access.
• In ProgressJust-in-time access for production support; no standing access to customer data.
• In ProgressQuarterly access reviews; automated revocation on role change.

04

Data Protection

Encryption everywhere. PII detection by default. Customer data is never used to train models.

• In ProgressTLS 1.3 in transit; AES-256 at rest via Google Cloud's default encryption.
• In ProgressPII detection with 16+ India-specific patterns — flagged and redacted by default in agent input/output.
• In ProgressNo customer data used to train base models or fine-tunes — contractual and architectural commitment.
• In ProgressSecure data deletion on contract termination, with certificate of purging.

05

Audit & Logging

Every transaction, every decision, every administrative action is logged. The audit trail is the moat.

• In ProgressAll agent transactions, admin actions, and data access events logged.
• In ProgressImmutable audit trail anchored by the CNE Protocol — cryptographic chain of custody for agent decisions.
• In ProgressConfigurable retention — default 7 years for regulated industries (BFSI, healthcare).
• In ProgressCustomer-readable audit feed via API for in-house monitoring and compliance teams.

06

AI-Specific Controls

The risks unique to AI agents — prompt injection, hallucination, training drift, cross-tenant prompt leakage — treated as first-class engineering concerns.

• In ProgressPII detection enforced in all agent input/output paths.
• In ProgressProhibition on using customer data for model training, fine-tuning, or evaluation.
• In ProgressPrompt injection defenses — input sanitization, content filters, and instruction-set isolation.
• In ProgressHallucination guardrails — retrieval grounding for factual claims, refusal scaffolding for low-confidence answers.
• In ProgressHuman-in-the-loop escalation for sensitive operations (financial, legal, healthcare).
• In ProgressAI change management — model upgrades, guardrail changes, and prompt updates require customer notification with diff documentation.

07

Incident Response

Defined detection, classification, response, and customer-notification process. Reachable 24×7 for critical incidents.

• In ProgressInformation Security Officer appointed; incident response RACI documented.
• In Progress24×7 incident reporting via security@olbrain.com with severity-based intake.
• In ProgressSeverity-based response SLAs:
· Critical: 1-hour acknowledgment, 4-hour engagement
· High: 4-hour acknowledgment
· Medium / Low: 1 business day
• In ProgressCustomer notification timelines aligned to regulatory requirements (DPDP, RBI, sector-specific).

08

Compliance & Certifications

Targets are fixed and engagements are underway. We publish progress, not just intentions.

• In ProgressDPDP Act 2023 — alignment in data handling, consent, and principal rights.
• In ProgressISO/IEC 27001:2022 certification — engagement in selection phase; target Q4 2026.
• In ProgressSOC 2 Type II report — observation window starting Q4 2026; target report Q2 2027.
• In ProgressVA / Penetration Testing by independent third party — target Q3 2026.
• In ProgressSource code security review — target Q3 2026.
• In ProgressBCP / DR testing report with documented RTO and RPO — target Q4 2026.

09

Information Security Governance

Named ownership, defined organizational structure, and a documented policy stack.

• In ProgressInformation Security Officer appointed with documented charter.
• In ProgressISMS organizational structure with security committee and incident response team.
• In ProgressDocumented roles and responsibilities for engineering, operations, customer success, and leadership.
• In ProgressFull policy stack — 17 policies including Information Security, Incident Management, BCP, User Access (incl. privileged), HR Security, Network, Anti-Malware, Patch Management, Logging, Backup, Secure SDLC, Media Handling, Physical Security, DPDP-aligned Privacy, Retention, Acceptable Use, and AI Usage & Data Ethics.

10

Customer Commitments in MSA

Standard contracts include the data, AI, third-party, and exit obligations enterprise customers expect.

• In ProgressData protection & privacy — purpose limitation, confidentiality undertakings, data ownership in customer's favor, prohibition of secondary use, data localization, lawful data principal rights support, secure deletion, indemnification.
• In ProgressAI-specific controls — approved AI workflow governance, AI DFDs, prompt injection / hallucination guardrails, no model training on customer data, no cross-tenant exposure, AI change management.
• In ProgressThird-party / outsourcing — subcontracting restrictions, sub-processor approval, flow-down of security obligations, accountability, SLA monitoring.
• In ProgressExit strategy — secure data return, residual data deletion, certificate of purging, orderly transition support.

11

Legal Entity & Data Controller

Indian customer data is held by an Indian operating entity. The US parent does not access, store, or process Indian customer data.

• In ProgressData Controller (India): Olbrain Labs Pvt Ltd — an Indian private limited company headquartered in Gurgaon, India. Olbrain Labs Pvt Ltd is the contracting party for Indian enterprise customers and the controller of all Indian customer data.
• In ProgressParent Entity: Olbrain Inc. — a Delaware C-corporation, USA. Olbrain Labs Pvt Ltd is a wholly-owned subsidiary. Olbrain Inc. does not access, process, or store Indian customer data; this is enforced contractually and architecturally.
• In ProgressMSA Counter-party: all customer agreements with Indian enterprises are signed by Olbrain Labs Pvt Ltd.
• In ProgressEntity verification documents (CoI, GST, PAN, bank details) available to procurement teams on request.

Building the security posture enterprises require.