Security

Security overview

Howzer is designed for organizations that handle sensitive customer data. This page outlines the security architecture, data protection controls, and compliance posture of the platform.

Data protection

How customer data is handled from the moment it enters the system.

PII redaction at ingest

Personal information (names, addresses, phone numbers, email addresses) is automatically detected and redacted before any analysis takes place. The original text is never stored in plaintext.

Encryption in transit and at rest

All data is encrypted using TLS 1.2+ in transit. At rest, data is encrypted using AES-256 with customer-managed keys where supported (e.g. Azure Key Vault).

Data residency

For self-hosted deployments, all data stays within your own infrastructure. For the upcoming SaaS offering, data processing is region-pinned. Data never leaves the selected region.

Retention and deletion

You define your own data retention windows. Automated deletion workflows ensure data is removed on schedule. Manual deletion is available at any time.

No internet egress

Self-hosted deployments operate with zero internet egress by default. All processing, storage, and model inference happens inside your private network.

Access controls

Who can access what, and how that's enforced.

Single Sign-On

Microsoft Entra ID (Azure AD) via OIDC and SAML. SCIM-based user and group provisioning with just-in-time access.

Role-based access

Granular roles at project, dataset, and action level. Approval chains and 4-eyes principle for sensitive operations.

Audit logging

Every action, approval, policy change, and AI-generated response is logged immutably. Logs can be exported to your SIEM.

Secrets management

Customer-managed encryption keys. Per-environment secrets rotation. Integration with Azure Key Vault and similar services.

Deployment security

Infrastructure-level protections for self-hosted and upcoming SaaS deployments.

Containerized deployment

Runs on Kubernetes with standard container images. No privileged containers. Read-only root filesystems where possible.

Network isolation

Private VNet/VPC deployment with allow-list networking. Connectors run inside your network boundary. No public endpoints required.

AI models run locally

All language models and analysis models run within your infrastructure. No data is sent to external AI providers.

Supply chain

Container images are signed and scanned. Dependencies are pinned and audited. Base images are updated on a regular cadence.

Compliance

Current certifications and what's on the roadmap.

GDPR compliantSOC 2 (in progress)ISO 27001 (roadmap)DPIA support available

Legal & procurement documents

We provide DPA templates (including SCCs), MSA templates, sub-processor lists, data flow diagrams, and DPIA notes to support your security review process.

Request full security package
Set up a security reviewReport a vulnerability