Security and trust

Aethis is infrastructure for systems that need verifiable decisions, including in regulated environments. The engine has been validated against the published benchmarks (Simpson 2026 §3) and is intended for production use; the developer surfaces around it are in early access while pricing, rate limits, and the published API contract settle. Security and data protection are designed in from the start. Controls are proportionate to current scale and are formalised as the platform matures.

Several properties of the engine are themselves security-relevant.

• —Decisions are evaluated by a constraint solver against a compiled ruleset. No language model runs in the decision path. The set of inputs that affect an outcome is bounded by the ruleset.
• —Rule authoring (LLM-assisted) and rule evaluation (deterministic) are separated. The authoring pipeline runs at build time and produces a compiled artefact; the runtime executes that artefact only.
• —Every decision returns the ruleset and engine version. Reproducing a past decision against a known input is deterministic.
• —Customer rule content is isolated per project and per organisation. API keys are scoped to a project.

• —In transit: TLS 1.2 or higher for all traffic to api.aethis.ai, the dashboard, and sub-processor endpoints.
• —At rest: provider-managed encryption (AES-256 or equivalent) on databases, object storage, and secret stores.
• —Secrets: managed in Google Secret Manager with least-privilege service-account access.

• —Customer authentication is handled by Clerk (passwordless email, OAuth, or password with strength requirements).
• —API access uses scoped, revocable API keys. Keys are issued and rotated through the dashboard.
• —Internal access to production systems is restricted to named staff, gated by SSO and short-lived credentials, and audited.
• —Production access requires approval and is logged.

Customer data is logically isolated by organisation and project at the application layer. Rulesets, fields, tests, and decisions are scoped to the owning project and not accessible across organisations.

Core application data is hosted in the United Kingdom or European Union. Some sub-processors operate in the United States. Where data crosses borders we rely on UK International Data Transfer Agreements, the EU Standard Contractual Clauses, or adequacy regulations. The current list of sub-processors and their regions is at /subprocessors.

• —API requests are logged with timestamp, route, status, latency, API key identifier, and ruleset version.
• —Decision logs include the inputs supplied to the engine and the outcome. Retention is 90 days by default; longer retention is available under contract.
• —Authentication events and admin actions in the dashboard are recorded.

Application databases are backed up daily by the managed provider, with point-in-time recovery available. Compiled rulesets are content-addressed and reproducible from source, so engine state can be reconstructed independently of any single backup.

Report suspected vulnerabilities to security@aethis.ai. Please do not exfiltrate data, run automated scanners against production, or test rate limits. We aim to acknowledge reports within two business days. Researchers acting in good faith and within these guidelines will not be pursued.

Aethis processes personal data in accordance with UK GDPR and the Data Protection Act 2018. SOC 2 Type I and ISO 27001 alignment work is underway; we do not currently claim either certification. A summary of current controls is available to prospective customers under NDA.

• —Treat API keys as secrets; never commit them to source control.
• —Apply your own access controls and audit on top of decision outputs.
• —Keep a human in the loop for high-stakes decisions, as set out in the Acceptable Use Policy.
• —Notify us promptly of any suspected unauthorised access to your account.

Security questions: security@aethis.ai.