Draft — verify before publishing. Answers below marked TODO must be confirmed and signed off by Bioptimus security/compliance. Do not represent certifications not in place.
Data residency & access
Your data stays entirely within your own environment — your AWS account/region for SageMaker, or your hardware for on-premise. Bioptimus does not see your inputs, outputs, or usage.| AWS & SageMaker | On-premise | |
|---|---|---|
| Where inference runs | Your AWS account / region | Your hardware |
| Where data is stored | Your S3 / your account | Your storage |
| Data visible to Bioptimus | None | None |
Telemetry
Indicative telemetry Bioptimus may collect (to be confirmed): disease area / task type, slide volumes, functions called, and crash/bug signals. No slide images, patient data, or model outputs are included. Confirm exact fields, transport, and opt-out.Authentication
The on-premise Model Server REST API currently requires no authentication — secure it via network isolation. SageMaker uses IAM (SigV4-signed requests); Hugging Face access is gated. Auth scheme is being finalized — see API reference.Security questions we address
A checklist of topics enterprise security teams typically raise. Fill each with a verified answer (and attach evidence/questionnaires where available).Data handling & residency
Data handling & residency
Where data is processed and stored; data-flow diagram; whether any data leaves the customer boundary. Answered above; add a formal data-flow diagram. TODO.
Telemetry & logging
Telemetry & logging
What is collected, where logs live, retention, and opt-out. TODO — confirm.
Encryption
Encryption
Encryption in transit (TLS) and at rest; key management. TODO.
Access control & authentication
Access control & authentication
API auth, RBAC, least-privilege IAM guidance. Currently no API auth; TODO finalize.
Certifications & frameworks
Certifications & frameworks
SOC 2 Type II, ISO 27001, HIPAA posture, GDPR. TODO — list only what is in place.
Data retention & deletion
Data retention & deletion
Whether inputs/outputs are retained anywhere, and deletion on request. TODO.
Vulnerability management
Vulnerability management
Patch cadence, dependency scanning, penetration testing, container image scanning. TODO.
Sub-processors & supply chain
Sub-processors & supply chain
Third parties involved (cloud, telemetry), and SBOM for the container. TODO.
Incident response & disclosure
Incident response & disclosure
Incident process, notification timelines, and a security contact / disclosure policy. TODO.
Business continuity
Business continuity
Availability, backups, and support for air-gapped operation. Air-gapped supported; expand. TODO.
Model provenance
Model provenance
Training-data governance, de-identification, and IP/licensing of model outputs. TODO.
Request our security documentation
Contact us for security questionnaires, DPAs, and compliance documentation.