Security Statement

At The MASS Lab, security and accountability are the product. We build managed, sovereign AI on infrastructure you control — and every AI data access is logged to a verifiable audit trail, so you can always answer the question “what did the AI actually touch?”

Data Protection

  • Encryption in Transit: All data transmissions use TLS 1.3 or higher
  • Encryption at Rest: Sensitive data encrypted using AES-256
  • Access Control: Role-based permissions with principle of least privilege
  • Data Segregation: Client data isolated in separate environments

Infrastructure Security

We run on Amazon Web Services, whose data centers are independently audited to SOC 2 Type II, ISO 27001, and PCI DSS. On top of that foundation we operate:

  • • Per-tenant isolation — each customer's data in its own dedicated environment
  • • TLS-locked service origins and managed key storage (AWS KMS)
  • • Automated patching, DDoS protection, and WAF
  • • Automated backups with point-in-time recovery
  • • Multi-AZ redundancy for high availability

The MASS Lab is not itself SOC 2 certified yet; our long-term audit logging is built to support that attestation as we grow.

Application Security

Development Practices

  • • Secure coding standards (OWASP)
  • • Code reviews and static analysis
  • • Dependency vulnerability scanning
  • • Secrets management systems

Authentication

  • • Multi-factor authentication (MFA)
  • • OAuth 2.0 / SAML integration
  • • Session management best practices
  • • Password policy enforcement

Monitoring & Compliance

Continuous monitoring and compliance measures ensure ongoing security:

  • • 24/7 security monitoring and alerting
  • • Comprehensive audit logging
  • • Regular penetration testing
  • • Annual security assessments
  • • Compliance with GDPR, CCPA where applicable

Verifiable AI Audit Trail

Every product we run sits on Token Holder, our trust and audit layer for AI agents. It means an AI never gets blanket access to your data — only scoped, revocable permissions, with a record you can check.

  • Per-agent least privilege: each AI agent gets only the access it needs, across your data sources
  • Cryptographically signed: every data access is recorded in a tamper-evident, signed audit chain
  • Independently verifiable: you (or your auditor, insurer, or regulator) can verify exactly what the AI touched
  • Instant revocation: revoke all AI access in seconds — your keys, your data, your rules

Healthcare & HIPAA

For healthcare and other regulated practices, we offer a HIPAA-aligned deployment and will sign a Business Associate Agreement (BAA) for qualifying engagements.

  • HIPAA-eligible infrastructure: built on AWS HIPAA-eligible services, including Amazon Bedrock for AI, under AWS's own BAA
  • Technical safeguards: encryption in transit and at rest, access controls, and full audit logging — core HIPAA requirements, by default
  • PHI minimization: we design deployments to keep protected health information out of prompts and logs wherever possible

We are not a covered entity, and a signed BAA is required before any protected health information is processed. To start a HIPAA-eligible deployment, reach us at hello@themasslab.com.

Incident Response

In the unlikely event of a security incident:

  1. 1. Immediate containment to prevent further impact
  2. 2. Assessment of scope and affected systems
  3. 3. Client notification within 24 hours
  4. 4. Remediation and system hardening
  5. 5. Post-incident review and improvements

Our Commitment

Security is not just a feature—it's fundamental to everything we build. We commit to:

  • • Transparency about our security practices
  • • Continuous improvement of security measures
  • • Rapid response to security concerns
  • • Regular training for our development team
  • • Partnership with clients on security requirements

For security inquiries or to report a vulnerability, contact: security@themasslab.com

We appreciate responsible disclosure and will acknowledge reports within 48 hours.