Trust is not a tone. Trust is an architecture.
Your strategic queries, competitive analysis, and regulatory intelligence are sovereign assets. Cortex treats them that way — isolated, encrypted, and under your complete control.
No shared databases. No co-mingled processing. No cross-client exposure. Your intelligence environment is yours alone — because the moment your strategic data touches shared infrastructure, it stops being strategic.
Board-level intelligence shouldn't reach the entire organization. Role-based access is designed so each person sees only what they need to act on — nothing more, nothing less. Access is controlled, auditable, and revocable.
When intelligence enters your decision chain without provenance, your organization inherits the risk of whatever that intelligence got wrong. Every Cortex output includes full source attribution, reasoning path, and confidence scoring.
Every access event, every document ingestion, every output delivery is logged and auditable. When regulators or compliance teams ask who saw what and when, you have the answer — instantly.
Nothing enters the system without organizational approval. Every document, every data source, every integration goes through structured governance — because ungoverned intelligence is just noise with liability attached.
Encrypted at rest. Encrypted in transit. Industry-standard protocols at every layer. Because if your intelligence infrastructure can be intercepted, it isn't intelligence — it's a liability.
Biopharma organizations operate under FDA oversight, institutional data governance, and security audit regimes that punish failure severely. Cortex was designed from the ground up for this reality — not retrofitted from a consumer product that was never meant to hold strategic intelligence.
A data breach in biopharma doesn't just cost money. It costs regulatory standing, investor confidence, and competitive positioning that took years to build. Cortex treats security as the foundation everything else is built on — not a checkbox added after the fact.
No. AimwellBio's backend infrastructure runs on Vercel serverless functions — compiled, deployed, and inaccessible to the public. No source maps are exposed. No API routes return internal logic. All proprietary intelligence algorithms run server-side. What clients and visitors receive is rendered output only.
Yes. All data is stored in Supabase (ISO 27001-aligned infrastructure) with row-level security policies. Client workspaces are isolated at the database layer, with row-level security (RLS) enforced. Member API requests require authenticated tokens. Public-facing intake routes (lead capture, FHIN application) are token-gated via Cloudflare Turnstile and rate-limited; no unauthenticated route has write access to member or client data.
Nothing critical breaks. AimwellBio's architecture writes to its own infrastructure — Supabase, Resend, and Stripe — first. Third-party automation tools are optional mirrors, not primary systems. Platform reliability does not depend on any single external vendor.
All credentials are stored as encrypted environment variables in Vercel's secret management system — never in source code, HTML, or client-accessible files. Security audits are run on every deployment to verify no secrets appear in any public-facing asset. Webhook URLs are server-side only.
AimwellBio is not currently presenting itself as SOC 2 certified or HIPAA certified. The platform uses security-conscious engineering practices and is preparing for formal compliance review as the product matures. This documentation is intended for transparency and diligence review.
AimwellBio does not handle Protected Health Information (PHI) in its current platform. The system architecture is built with security-conscious engineering practices (encryption at rest, audit logging, access controls, and role-based data isolation) in preparation for enterprise deployments that require it. Formal compliance attestations are not currently claimed.
AimwellBio is pursuing SOC 2 Type II certification. Current controls include access management, encryption, audit logging, incident response procedures, and change management. Independent audit engagement is planned for Q3–Q4 2026.
Data residency configurations are available for enterprise and sovereign tier deployments. All data handling is governed by the AimwellBio Data Use Policy. Tenant data is logically isolated at the database level, with row-level security (RLS) enforced.