Trust & Security
Transparency about what we do, what we don't do, and what requires further authorization.
Important Disclaimers
- This platform is NOT affiliated with, endorsed by, or connected to the Department of Defense, any military branch, or the Department of Veterans Affairs.
- Do NOT enter classified information, Controlled Unclassified Information (CUI), Protected Health Information (PHI), or Sensitive Personally Identifiable Information (SPII) into this platform.
- This is a commercial demo environment. Enterprise deployments for authorized environments are available separately after security review.
- Agent outputs are AI-generated and may contain errors. Always verify outputs against current doctrine, regulations, and official sources before use.
- This platform does NOT provide legal, medical, financial, or benefits advice. Agent outputs are informational templates only.
Compliance Posture
| Capability | Status | Details |
|---|---|---|
| PII/SPII Redaction | IMPLEMENTED | SSN, DoD ID, MRN, VA file numbers, credit cards, phone, email, addresses, IP addresses |
| Zero-Retention PHI Pipeline | DESIGNED | Architecture enforces zero prompt/response persistence for veteran and healthcare agents |
| Authentication | IMPLEMENTED | Email/password with bcrypt, Google OAuth, GitHub OAuth, role-based admin access |
| FedRAMP High | ARCHITECTURE-READY | Designed for FedRAMP High. Not yet authorized. Enterprise deployments available after security review. |
| HIPAA | ARCHITECTURE-READY | Zero-retention design. No BAA in place for the commercial demo. Enterprise BAAs available. |
| DoD IL2-IL6 | ARCHITECTURE-READY | Supports deployment patterns for IL2-IL6 environments. Requires ATO for classified use. |
| CAC/SSO/SAML | PLANNED | Planned for enterprise tier. Not currently implemented. |
| Iron Bank Containers | PLANNED | Containers designed for Iron Bank submission. Not yet listed in Iron Bank registry. |
Data Handling
- Prompts & responses: Not stored in full. Only SHA-256 hashes of inputs/outputs are logged for audit purposes.
- PII redaction: Active middleware scrubs sensitive data before it reaches inference backends.
- Invocation logs: Agent ID, branch, compliance flag, timestamp, input/output hashes, and user ID.
- Veteran agents: All Category VII agents enforce ZERO_RETENTION_PHI compliance flag.
- Encryption: All data in transit is encrypted via TLS. Database connections use SSL.
Security Contact
To report a security vulnerability or request an enterprise security review, contact us at security@militaryaiagents.com.