Security & Trust Center

AGENTLESS SCANNING ARCHITECTURE

How TITAN AI securely scans your Azure environment without installing anything

CONNECT

You grant TITAN AI a read-only Service Principal or Managed Identity with Azure's built-in Reader role. Takes 5 minutes. No agents installed, no code deployed, no network changes.

DISCOVER

TITAN SCOUT queries the Azure Resource Manager API and Microsoft Graph API to enumerate all resources, configurations, IAM roles, network topology, and security settings across your subscriptions.

ANALYZE

AI agents analyze resource metadata, configurations, and security posture. No customer data is read — only infrastructure metadata and settings. Analysis runs in our isolated Azure tenant.

REPORT

Findings are compiled into interactive HTML reports with risk scoring, remediation steps, compliance mapping, and executive summaries. Reports are encrypted at rest and access-controlled.

✔

No Agents Installed
Zero software deployed in your environment. No performance impact on production workloads.

✔

API-Based Only
Uses Azure Resource Manager and Microsoft Graph APIs with least-privilege, read-only permissions.

✔

Data Stays in Region
Scan data is processed in your Azure region. Only findings and metadata are stored in our platform.

✔

No Network Changes
No VPN, no peering, no firewall rules. Connects through standard Azure APIs over HTTPS.

✔

Revoke Anytime
Remove our Service Principal at any time. Instant disconnection — no residual access or artifacts.

✔

No Customer Data Read
We scan configurations and metadata only. We never access database contents, file contents, or application data.

CLOUD-NATIVE SECURITY COVERAGE

CSPM + CWPP + CIEM capabilities in one platform

🛡 CSPM

Cloud Security Posture Management

Resource configuration assessment
Security best practice validation
Continuous compliance monitoring
Drift detection and alerting
243 automated security controls
14 compliance framework mapping

🔎 CWPP

Cloud Workload Protection

VM security configuration audit
Network exposure analysis
Open port and protocol detection
Storage account hardening
Key Vault configuration checks
SQL and database security audit

👥 CIEM

Cloud Entitlement Management

RBAC role assignment analysis
Over-privileged identity detection
Dormant account identification
Service Principal audit
Managed Identity validation
Least-privilege enforcement

WHAT OUR AGENTS EXTRACT

DATA CATEGORY	EXAMPLES	USED FOR
Resource Inventory	VMs, Storage, SQL, Key Vault, NSGs, App Services, Disks	Infrastructure health and cost analysis
Security Configurations	NSG rules, firewall settings, encryption status, TLS versions	Vulnerability detection and hardening
IAM / RBAC	Role assignments, service principals, managed identities	Access control and privilege analysis
Network Topology	Subnets, peering, public IPs, load balancers, DNS	Attack surface mapping
Compliance Posture	Policy assignments, diagnostic settings, audit logs	Framework compliance mapping
Cost & Usage	Spending data, resource utilization, idle resources	Cost optimization and waste detection

                    We NEVER read database contents, file contents, application data, secrets values, or customer PII.
                

ENCRYPTION & DATA PROTECTION

Enterprise-grade encryption at every layer

🔒

TLS 1.3 In Transit

All data transmitted between your browser and TITAN AI is encrypted with TLS 1.3 using AES-128-GCM with post-quantum key exchange (X25519MLKEM768). TLS 1.2 is supported as fallback — TLS 1.0 and 1.1 are disabled.

🔐

AES-256 At Rest

All scan reports, findings, and customer data stored on Azure are encrypted at rest using AES-256 bit encryption via Azure Storage Service Encryption (SSE). Encryption keys are managed by Azure Key Vault with HSM backing.

🛡

Zero Trust Architecture

TITAN AI operates on a zero-trust model. Every API call is authenticated, every session is verified, and every agent runs with least-privilege access to your Azure environment. Read-only by default — no implicit trust.

📋

HTTPS Enforced

All HTTP traffic is automatically redirected to HTTPS. HSTS (HTTP Strict Transport Security) is enabled with a 1-year max-age, includeSubDomains, and preload directives. SSL certificate via Let's Encrypt with auto-renewal.

HEADER	VALUE	PROTECTION
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload	Forces HTTPS for 1 year — prevents downgrade attacks
X-Frame-Options	DENY	Prevents clickjacking — blocks iframe embedding
X-Content-Type-Options	nosniff	Prevents MIME type sniffing attacks
Content-Security-Policy	default-src 'self'; script-src 'self' ...	Prevents XSS and code injection attacks
Referrer-Policy	strict-origin-when-cross-origin	Controls referrer header leakage
Permissions-Policy	camera=(), microphone=(), geolocation=()	Disables unnecessary browser APIs
X-XSS-Protection	1; mode=block	Legacy XSS filter — blocks reflected XSS

CERTIFICATIONS & COMMITMENTS

Our security certifications and compliance roadmap

✔ ACTIVE

SSL / TLS 1.3 Encryption Let's Encrypt SSL certificate with auto-renewal. TLS 1.3 with post-quantum key exchange. A+ SSL Labs rating.

HIPAA-Ready Architecture Platform architecture meets HIPAA technical safeguard requirements. BAA available for healthcare customers upon request.

GDPR Compliant Data processing agreements (DPA) available. Right to erasure, data portability, and consent management supported.

Azure Infrastructure Hosted on Microsoft Azure with inherited certifications: SOC 1/2/3, ISO 27001/27017/27018, HIPAA, PCI DSS Level 1.

Annual Penetration Testing Third-party penetration testing performed annually by independent security firm. Summary available upon request under NDA.

CCPA / CPRA Compliant We do not sell personal information. California consumers can exercise data rights per our Privacy Policy.

⏱ ROADMAP

SOC 2 Type II Audit engagement initiated. Controls designed and operating. Expected completion: Q4 2026. Auditor: TBD (Big 4 / A-LIGN class).

ISO 27001 Information Security Management System (ISMS) in development. Certification planned for 2027.

CSA STAR Level 1 Cloud Security Alliance self-assessment (CAIQ) in preparation. Will be published on the CSA STAR Registry.

HITRUST CSF For healthcare enterprise customers requiring HITRUST certification. Planned based on customer demand.

PCI DSS Attestation For banking and retail customers handling cardholder data. Planned based on customer requirements.

INHERITED FROM MICROSOFT AZURE

TITAN AI is hosted on Azure and inherits these infrastructure certifications

SOC 1/2/3 ISO 27001 ISO 27017 ISO 27018 HIPAA PCI DSS L1 CSA STAR HITRUST CJIS NIST 800-53 DoD IL5 IRAP UK G-Cloud

DATA PROCESSING & PRIVACY

Full transparency on how we handle your data

📜

Data Processing Agreement (DPA)

We provide a GDPR-compliant Data Processing Agreement to all customers upon request. Our DPA defines data controller/processor responsibilities, data handling obligations, and breach notification procedures.

👥

Sub-Processor Transparency

We maintain a public list of sub-processors who handle customer data. Current sub-processors: Microsoft Azure (infrastructure hosting), Stripe (payment processing), AI Analysis Engine (report generation). No other third parties receive your data.

🕒

Data Retention Policy

Scan data and reports: 12 months, then auto-deleted. Account info: 90 days post-cancellation. Billing records: 7 years (tax compliance). You can request early deletion at any time via email.

🌎

Data Residency

All customer data is processed and stored on Microsoft Azure infrastructure in the United States (East US region). For customers with data sovereignty requirements, regional deployment options are available upon request.

HIPAA BUSINESS ASSOCIATE AGREEMENT

Healthcare organizations requiring a BAA can request one at info@titanai.tech.
Our platform architecture meets HIPAA technical safeguard requirements including encryption, access controls, audit logging, and automatic logoff.

16 AI AGENT INVENTORY

Complete disclosure of every TITAN AI agent, function, and data-access scope — required for HIPAA Business Associate Agreement review and customer legal approval

☁ CLOUD SECURITY AGENTS (6)

1. SCOUT

Azure Resource Discovery & Attack Surface Mapping

Data accessed: Azure Resource Manager metadata only (resource types, tags, locations). Read-only ARM API.

PHI: None

2. SENTINEL

Vulnerability Scanning & Threat Detection

Data accessed: NSG rules, TLS configs, port exposures, CVE matching. No customer data.

PHI: None

3. SHADOW

Shadow IT & Data Exfiltration Detection

Data accessed: Azure activity logs, sign-in logs, resource access patterns. Metadata only (filenames, sizes).

PHI: Metadata only — filenames not contents

4. FORGE

Auto-Remediation (Preview Mode Default)

Data accessed: ARM write API for config changes only. No user-data access. Preview mode by default.

PHI: None

5. COMPLY

Compliance Framework Mapping (16+ frameworks)

Data accessed: Findings from other agents only — no direct cloud data access.

PHI: None

6. WATCH

Continuous Monitoring & Alerting

Data accessed: Azure Monitor metrics, alerts, Log Analytics queries (metadata).

PHI: None

📄 AUDIT & EVIDENCE (1)

7. AUDIT

Audit Evidence Collection & Report Generation

Data accessed: Control evidence from other agents. Generates DOCX/PDF reports for auditors.

PHI: None — evidence metadata only

❤ HEALTHCARE AGENTS (4) — HIPAA BAA SCOPE

8. ENGAGE

Member Risk Scoring & Engagement

Data accessed: Member demographics, claims summary, care gap indicators.

PHI: YES — BAA REQUIRED

9. VOICE

Clinical Call QA & HIPAA Compliance Checks

Data accessed: Call transcripts, agent scripts, QA scorecards. Encryption in transit and at rest.

PHI: YES — BAA REQUIRED

10. PULSE

Member Outreach Optimization

Data accessed: Outreach logs, contact preferences, response rates. Limited PHI (contact data only).

PHI: Limited — BAA required for contact data

11. PREDICT

ER Visit & Readmission Prediction

Data accessed: Clinical history, diagnoses (ICD-10), lab results, medication lists.

PHI: YES — BAA REQUIRED

🏦 BANKING AGENTS (3) — GLBA / PCI-DSS SCOPE

12. AML

Anti-Money Laundering Alert Triage

Data accessed: Transaction metadata, customer risk scores, SAR filings.

PHI: No (NPI under GLBA 16 CFR 314)

13. FRAUD

Real-Time Transaction Fraud Detection

Data accessed: Transaction patterns, device fingerprints, geo-velocity.

PHI: No (NPI under GLBA)

14. KYC

Customer Identification & Screening

Data accessed: Identity documents, PEP/sanctions/watchlist databases.

PHI: No (NPI under GLBA)

📡 TELECOM & ENTERPRISE (2)

15. TELCO

TCPA / CPNI Compliance Auditing

Data accessed: Call/SMS consent records, CPNI logs, FCC filings.

PHI: No (CPNI under 47 CFR Part 64)

16. CODE

Data Pipeline & ETL Quality Monitoring

Data accessed: Pipeline metadata, row counts, schema validations — no row-level data.

PHI: None

HIPAA BAA SCOPE SUMMARY

                    Of the 16 AI agents, 4 agents (ENGAGE, VOICE, PULSE, PREDICT) process Protected Health Information and are covered under the HIPAA Business Associate Agreement. The remaining 12 agents operate on infrastructure metadata, security configurations, financial NPI (GLBA scope), or non-healthcare data and do not require HIPAA BAA coverage. All customer data is processed within Microsoft Azure East US with encryption in transit (TLS 1.2+) and at rest (AES-256). Data is retained only for the duration of the active engagement plus 30 days.

TRUST CENTER

🛡 CSPM

🔎 CWPP

👥 CIEM

TLS 1.3 In Transit

AES-256 At Rest

Zero Trust Architecture

HTTPS Enforced

Read-Only by Default

Azure Managed Identity

Controlled Remediation

Full Audit Trail

Data Processing Agreement (DPA)

Sub-Processor Transparency

Data Retention Policy

Data Residency

1. SCOUT

2. SENTINEL

3. SHADOW

4. FORGE

5. COMPLY

6. WATCH

7. AUDIT

8. ENGAGE

9. VOICE

10. PULSE

11. PREDICT

12. AML

13. FRAUD

14. KYC

15. TELCO

16. CODE

Annual Penetration Testing

Vulnerability Scanning

Secure Development Lifecycle

READY TO SECURE YOUR CLOUD?