Skip to main content

Isolated Workspace

No shared databases. No co-mingled processing. No cross-client exposure. Your intelligence environment is yours alone — because the moment your strategic data touches shared infrastructure, it stops being strategic.

Permissioned Outputs

Board-level intelligence shouldn't reach the entire organization. Role-based access is designed so each person sees only what they need to act on — nothing more, nothing less. Access is controlled, auditable, and revocable.

Source Lineage

When intelligence enters your decision chain without provenance, your organization inherits the risk of whatever that intelligence got wrong. Every Cortex output includes full source attribution, reasoning path, and confidence scoring.

Admin Audit Trail

Every access event, every document ingestion, every output delivery is logged and auditable. When regulators or compliance teams ask who saw what and when, you have the answer — instantly.

Governed Onboarding

Nothing enters the system without organizational approval. Every document, every data source, every integration goes through structured governance — because ungoverned intelligence is just noise with liability attached.

Encryption & Transport

Encrypted at rest. Encrypted in transit. Industry-standard protocols at every layer. Because if your intelligence infrastructure can be intercepted, it isn't intelligence — it's a liability.

Architecture

Six layers of defense. Zero exceptions. Every access logged.

Access Control & Authentication
Encryption at Rest & In Transit
Isolated Workspace Infrastructure
Governed Data Ingestion
Audit Trail & Compliance Logging
Permissioned Output Delivery

Built for the environments where a breach ends careers.

Biopharma organizations operate under FDA oversight, institutional data governance, and security audit regimes that punish failure severely. Cortex was designed from the ground up for this reality — not retrofitted from a consumer product that was never meant to hold strategic intelligence.

Security is not a feature. It is the architecture.

A data breach in biopharma doesn't just cost money. It costs regulatory standing, investor confidence, and competitive positioning that took years to build. Cortex treats security as the foundation everything else is built on — not a checkbox added after the fact.

Request Access
Security Q&A

Answers to the questions investors ask.

Is your source code publicly visible?

No. AimwellBio's backend infrastructure runs on Vercel serverless functions — compiled, deployed, and inaccessible to the public. No source maps are exposed. No API routes return internal logic. All proprietary intelligence algorithms run server-side. What clients and visitors receive is rendered output only.

Are client queries and outputs stored securely?

Yes. All data is stored in Supabase (ISO 27001-aligned infrastructure) with row-level security policies. Client workspaces are isolated at the database layer, with row-level security (RLS) enforced. Member API requests require authenticated tokens. Public-facing intake routes (lead capture, FHIN application) are token-gated via Cloudflare Turnstile and rate-limited; no unauthenticated route has write access to member or client data.

What happens if a third-party automation tool fails?

Nothing critical breaks. AimwellBio's architecture writes to its own infrastructure — Supabase, Resend, and Stripe — first. Third-party automation tools are optional mirrors, not primary systems. Platform reliability does not depend on any single external vendor.

How are API keys and credentials protected?

All credentials are stored as encrypted environment variables in Vercel's secret management system — never in source code, HTML, or client-accessible files. Security audits are run on every deployment to verify no secrets appear in any public-facing asset. Webhook URLs are server-side only.

Compliance Posture

Compliance Roadmap & Honest Posture

AimwellBio is not currently presenting itself as SOC 2 certified or HIPAA certified. The platform uses security-conscious engineering practices and is preparing for formal compliance review as the product matures. This documentation is intended for transparency and diligence review.

In Pursuit

HIPAA-Ready Architecture

AimwellBio does not handle Protected Health Information (PHI) in its current platform. The system architecture is built with security-conscious engineering practices (encryption at rest, audit logging, access controls, and role-based data isolation) in preparation for enterprise deployments that require it. Formal compliance attestations are not currently claimed.

Business Associate Agreement (BAA) available upon request for enterprise tiers.
In Pursuit — Target Q4 2026

SOC 2 Type II

AimwellBio is pursuing SOC 2 Type II certification. Current controls include access management, encryption, audit logging, incident response procedures, and change management. Independent audit engagement is planned for Q3–Q4 2026.

SOC 2 Type I controls documentation available under NDA for qualified enterprise reviews.
Available

Data Residency Options

Data residency configurations are available for enterprise and sovereign tier deployments. All data handling is governed by the AimwellBio Data Use Policy. Tenant data is logically isolated at the database level, with row-level security (RLS) enforced.

Enterprise deployments: contact for custom data residency agreements.

What AimwellBio Does Not Claim

  • AimwellBio is not currently SOC 2 certified (Type I or Type II).
  • AimwellBio is not currently HIPAA-certified or HITRUST-certified.
  • AimwellBio is not ISO 27001 certified.
  • AimwellBio does not store or process Protected Health Information (PHI) in the current platform version.
  • AimwellBio does not provide legal compliance guarantees — each organization is responsible for its own compliance assessment.
Data Handling
All subscriber data encrypted at rest (AES-256) and in transit (TLS 1.3). No subscriber data sold or shared with third parties.
Authentication
Supabase-managed authentication with Row Level Security enforced at the database layer. No credential storage in application code.
Audit Logging
Authentication events, API access, and administrative actions are logged. Logs retained for 90 days minimum. Exportable upon enterprise request.
Access Control
Role-based access control (RBAC) enforced across all tier levels. Administrative access requires multi-factor authentication. Principle of least privilege applied.
Vendor Posture
Infrastructure: Vercel (SOC 2 Type II certified). Database: Supabase (SOC 2 Type II certified). Payments: Stripe (PCI DSS Level 1). Email: Resend.
Security Contact
Report vulnerabilities or request a security packet: security@aimwellbio.com. Enterprise security reviews scheduled by request.
Security Testing · In Progress

Security Testing & Responsible Disclosure

Now: Automated Scanning
Dependency vulnerability scanning on every deployment (Vercel + GitHub Advisory Database). No secrets in source code or public assets — enforced by deployment checks. OWASP Top 10 coverage via automated static analysis.
Q3 2026: Third-Party Penetration Test
External penetration test by an independent firm is planned for Q3 2026, concurrent with the SOC 2 Type II audit engagement. Scope: web application, API endpoints, authentication flows, tenant isolation, and secrets management. Results summary published to enterprise subscribers.
Responsible Disclosure
AimwellBio operates a responsible disclosure policy. If you discover a potential security vulnerability, report it to security@aimwellbio.com before any public disclosure. We commit to acknowledging reports within 48 hours and providing a resolution timeline within 7 business days. No legal action against good-faith reporters.
Security testing scope and pentest executive summary will be made available to qualified enterprise and institutional tier subscribers under NDA upon request. Contact: security@aimwellbio.com
SHARE THIS
AIMN : AimwellBio
Built with security-conscious engineering practices. Formal compliance attestations are not currently claimed.