Security

How Eidolon products are built and operated.

Security is architectural, not bolted on. The product family is designed so that data sovereignty, isolation, and audit are properties of the system — not promises that need policing.

1. Architectural commitments

Local-first by default

Eidolon Personal runs the model and the database on your device. No data has to leave the machine for the product to function. The download artifact is signed; SHA-256 checksums are published with every release.

Schema-isolated tenants

Institutional products (Nursery, Clinic, Care, Research SaaS, ABS) use a dedicated database schema per customer — not a shared schema with a tenant_id column. Cross-tenant queries are physically impossible without explicit operational access. Postgres Row-Level Security policies further restrict access at the connection level.

UK / EU jurisdiction

Institutional product hosting is inside UK and EU data centres. The choice is per-customer; we don't silently move data across jurisdictions. ABS hosting is in Australia (Queensland) for AU customers.

SHA-256-chained audit trail

Eidolon Clinic and Eidolon Nursery emit append-only audit events to a SHA-256-chained log at the storage boundary. Tampering is detectable; the chain is reproducible from any point.

2. Data in transit and at rest

In transit: TLS 1.3. HSTS + preload on eidolonai.co.uk.
At rest: Disk-level encryption on hosted databases; per-tenant encryption keys for the institutional products are on the v1.x roadmap.
Backups: Encrypted at rest, retained 30 days, access-controlled to ops staff only.

3. Identity & access

SaaS products use OAuth2 / SMART-on-FHIR (Clinic) / JWT-tenant-context (Research). Operations access to customer data is restricted to named SREs under a four-eyes break-glass procedure; break-glass invocations are logged to the audit chain.

4. Vulnerability disclosure

Found something? Email security@eidolonai.co.uk with reproduction steps. We acknowledge within 48 hours and provide a remediation timeline within 7 days. We do not pursue researchers acting in good faith.

5. Sub-processors

Stripe — billing, payment processing (Personal & SaaS). PCI DSS Level 1.
UK / EU VPS providers — institutional product hosting. Per-customer choice on commit.
Ollama — open-source local LLM runtime, installed by users on their own machines (Personal).

6. Roadmap

Per-tenant encryption keys (HSM-backed) for Clinic and Care; SOC 2 Type II for the SaaS products; ISO 27001 for the company; HIPAA attestation for US Care expansion (if/when that lands). Targets are pinned in the company roadmap and shared with institutional customers on request.