Data Security, Privacy, and Responsible AI Whitepaper

askEdgi is an AI-enabled analytics capability integrated within the OvalEdge platform. It operates within a governed data ecosystem that includes metadata management, lineage tracking, access controls, and policy enforcement.

The capability enables AI-assisted analytics using governed metadata and approved contextual information, while ensuring that raw enterprise data remains protected and processed only within authorized environments. askEdgi supports multiple deployment models and applies consistent security, privacy, and responsible AI controls across environments.

Security and privacy safeguards are enforced across all layers of the platform, including data ingestion, catalog operations, and AI-assisted analytics. These safeguards ensure confidentiality, integrity, availability, and regulatory compliance. askEdgi operates strictly within enterprise-defined governance boundaries and does not bypass, override, or weaken existing security or access controls.

Deployment Models and Data Flow

askEdgi supports both SaaS and customer-managed deployments while maintaining consistent security, isolation, and governance controls.

SaaS Deployment Model

In the SaaS deployment model, askEdgi runs in a fully managed Amazon Web Services environment. The platform uses AWS native services to support secure, scalable, and isolated processing.

AWS services used include Amazon RDS, Amazon S3, Amazon ECS, and Amazon SQS.

Customer Managed or On-Prem Deployment Model

In customer-managed deployments, askEdgi components are deployed within customer-controlled infrastructure or private cloud environments. Equivalent enterprise-grade services are used to support secure storage, compute isolation, messaging and orchestration, and network and identity controls. All data remains within the customer-controlled environment. No data is transmitted externally unless explicitly configured.

Logical Architecture across All Deployments

The logical architecture applies consistently across all deployment models and includes the following components.

• OvalEdge Platform for metadata management, governance enforcement, lineage, and access control.

• askEdgi Insights Engine for AI-driven analytics and natural language interaction.

• Secure Data Processing Layer for controlled analytics execution and temporary file handling.

All data flows are protected through tenant isolation, role-based access controls, and encrypted communication channels.

Applying Data Security Measures

askEdgi security controls apply uniformly across SaaS and customer-managed deployments unless explicitly stated otherwise. Governance enforcement remains consistent across all deployment models.

Securing Infrastructure Components

All platform components operate within isolated Virtual Private Clouds on AWS. Network access is controlled using security groups, IAM policies, and subnet-level isolation.

• Data at rest uses AES 256 encryption.

• Data in transit uses TLS 1.2 or higher.

• Compute workloads run in isolated ECS containers without persistent storage beyond approved services.

Infrastructure access follows least privilege and is continuously monitored.

Enforcing Application-Level Security

Authentication and authorization use enterprise identity mechanisms such as SSO and OAuth 2.0. The OvalEdge platform enforces role-based and attribute-based access controls, data masking and policy enforcement, audit logging, and end-to-end lineage tracking. askEdgi Recipes are version-controlled, encrypted, and reviewed before broader availability.

Identity and Session Management Controls

askEdgi enforces enterprise-grade identity and session management controls to ensure secure access to the platform.

Authentication is supported through standards-based Single Sign-On (SSO) mechanisms, including SAML 2.0 and OpenID Connect (OIDC). Multi-factor authentication (MFA) is mandatory for administrative users to reduce the risk of privileged access compromise.

Access to the platform is governed by role-based access control (RBAC), ensuring users can perform only actions explicitly permitted by their assigned roles. User sessions are subject to defined expiration policies, and session credentials are rotated periodically to limit exposure in the event of credential compromise.

Connector Security and Lifecycle Management

askEdgi treats data connectors as governed security boundaries. Connectors authenticate using OAuth-based or credential-based mechanisms, with credentials encrypted and scoped to the minimum permissions required for operation.

All connector access is logged to support auditability and incident investigation. Connector credentials can be revoked when access is no longer required or if compromise is suspected, ensuring controlled termination of access without impacting unrelated platform operations.

Secure Data Processing and Analytics

During analytics execution, files are processed in controlled environments.

• Files are stored temporarily in Amazon S3 using encrypted and access-restricted buckets.

• All files use AES 256 encryption at rest.

• Files are converted to Parquet format to improve performance and reduce exposure.

Each user operates in a dedicated workspace that is non-shareable. Access to workspace storage is strictly isolated:

• Users cannot access other workspaces.

• Workspace data remains isolated within the same organization.

All data transfers between components use HTTPS with certificate-based authentication.

Sandboxed Execution Environment Hardening

All analytical execution within askEdgi occurs in sandboxed environments designed to minimize attack surface and prevent cross-session or cross-tenant access.

Each execution environment enforces filesystem isolation to prevent access to host-level or other workspace files. Network egress from execution sandboxes is restricted to approved destinations to reduce the risk of unauthorized data exfiltration.

Compute resources are constrained through enforced quotas, including limits on CPU, memory, and execution runtime. Execution environments run on immutable runtime images, ensuring consistency, preventing persistence of unauthorized changes, and supporting secure disposal after completion.

Monitoring Events and Maintaining Logs

All user actions and system events are logged and retained based on enterprise audit requirements. OvalEdge provides activity and usage logs for governance and compliance review. AWS CloudWatch supports infrastructure monitoring and security event detection. These controls support traceability, incident investigation, and compliance reporting.

In addition to standard authentication and data access logs, askEdgi records metadata related to AI model interactions, including request context and execution metadata. Export and sharing events are logged to ensure traceability of data movement and result dissemination.

All logs are aggregated into centralized monitoring systems that support alerting, correlation, and investigation of anomalous or suspicious activity across the platform.

Controlling AI Interaction Security

Only metadata and approved contextual information are exposed to AI models. Customer data values are never shared with external AI providers.

askEdgi prevents customer data exposure to external AI service providers.

• For SaaS deployments, API tokens for AI providers such as OpenAI and Gemini are securely managed by the platform.

• For customer-managed deployments, API credentials are supplied and managed by the customer.

Only approved metadata and contextual information are shared with Large Language Models. Shared context includes table names, column descriptions, semantic summaries, and data profiles.

The following items are excluded from AI processing.

• Raw customer data records.

• Personally identifiable information.

• Sensitive or regulated data values.

All AI interactions use vectorized metadata and pre-approved context from the governed data catalog.

AI-Specific Security Controls

askEdgi implements additional controls to mitigate AI-specific security risks. These include defenses against prompt injection, controlled gating of AI tools, and validation of AI-generated outputs.

askEdgi relies on contractual safeguards with external AI model providers to enforce appropriate data handling and usage constraints.

AI Ethics and Responsible Use

askEdgi applies responsible AI principles based on transparency, accountability, and control. AI-generated insights are explainable and traceable to governed metadata. Recipes are reviewed before publication in shared or marketplace environments. Personal or sensitive data is not retained for AI inference persistence or training. Human oversight is included in governance workflows where validation is required.

Applying Data Privacy Principles

Customers retain ownership and control of data at all times. OvalEdge and askEdgi operate as data processors and act only on customer instructions within configured governance policies.

Data usage is limited to metadata management, governed analytics, and AI-assisted insights within the platform. Customer data is not used for model training, cross-tenant learning, or secondary purposes.

Data Retention and Deletion Policies

askEdgi applies defined data retention and deletion policies aligned with privacy and compliance requirements.

Uploaded files are retained for configurable periods, controlled by the customer (for example, 30–90 days). Chat and analysis history follow the same retention period as the underlying source data. Derived artifacts inherit the retention policy of their source datasets.

Audit logs are retained for compliance purposes, typically between 180 and 365 days. Backups are immutable and retained for time-bound periods.

User-initiated deletion requests trigger backend data purging within defined service-level timeframes. Backup data is removed through expiration-based deletion processes.

Secure Software Development Lifecycle

askEdgi follows secure software development lifecycle (SDLC) practices to reduce risk throughout the development and deployment process.

Code changes undergo peer review prior to integration. Static application security testing (SAST) and dependency scanning are performed to identify vulnerabilities in application code and third-party libraries. Infrastructure is managed using Infrastructure as Code (IaC) to ensure consistency, traceability, and controlled change management.

Continuous integration and continuous deployment (CI/CD) pipelines enforce approval gates before promotion to production environments. Build artifacts are signed to ensure integrity and provenance.

Vulnerability Management and Disclosure

askEdgi maintains a formal Vulnerability Disclosure Policy (VDP) to support responsible security research and coordinated disclosure of security vulnerabilities.

askEdgi encourages security researchers to report potential vulnerabilities in good faith. Vulnerabilities can be reported by email to [email protected]. Reports should include sufficient detail to support investigation, such as reproduction steps, observed impact, and proof of the issue.

Good-faith security research conducted within a defined scope will not result in legal action against the reporter. askEdgi commits to acknowledging vulnerability reports within three (3) business days and providing an initial assessment within ten (10) business days.

askEdgi coordinates remediation and public disclosure timelines with reporters to ensure vulnerabilities are addressed responsibly before disclosure.

Incident Response and Customer Notification

askEdgi maintains a structured incident response process supported by continuous, 24×7 monitoring. Security incidents are classified by severity to guide response prioritization and escalation.

When required, customers are notified of security incidents in accordance with contractual and regulatory obligations. Post-incident reviews are conducted to identify root causes and implement corrective actions.

Compliance and Certifications

The platform aligns with AWS compliance programs and inherited controls. Supported standards include ISO 27001, SOC 2 Type II, GDPR, and CCPA. OvalEdge follows secure development practices and conducts regular vulnerability assessments and penetration testing.

Control Framework Alignment

askEdgi aligns its security and governance controls with industry-recognized assurance frameworks, including SOC 2 and ISO/IEC 27001. The following control areas demonstrate mapped alignment between platform controls and common control criteria.

Access Control

askEdgi enforces role-based access control (RBAC), standards-based Single Sign-On (SSO), and multi-factor authentication (MFA) to ensure that access to systems and data is restricted to authorized users only.

Change Management

askEdgi applies controlled change management practices, including versioned deployments and approval workflows, to ensure that system changes are authorized, tested, and traceable.

Logging and Monitoring

askEdgi maintains centralized audit logging and monitoring to capture authentication events, access activity, and system operations. Logs support security monitoring, alerting, and investigation activities.

Data Protection

askEdgi protects data using encryption at rest and encryption in transit to preserve confidentiality and integrity across storage and communication layers.

Incident Response

askEdgi maintains defined incident response procedures to support detection, response, containment, and remediation of security incidents.

Summarizing Key Security Controls

The following table summarizes the primary security controls enforced across the askEdgi platform and the corresponding implementation approach.

Conclusion

askEdgi, as part of the OvalEdge platform, delivers a secure and governed environment for AI-assisted analytics. Encryption, access controls, privacy by design practices, and responsible AI controls protect customer data throughout its lifecycle while enabling trusted enterprise insights.

Copyright © 2026, OvalEdge LLC, Peachtree Corners, GA USA