Built for Regulated Industries

Organizations in highly regulated industries do not have the luxury of treating compliance as an afterthought. Regulatory requirements are not checkboxes to be ticked after the product is built — they are constraints that must shape the architecture from the first line of code. Otonomii was designed from the ground up to meet the compliance requirements of the most demanding industries: financial services, healthcare, energy, government, and insurance.

Every deployment undergoes a compliance mapping exercise that identifies the specific regulations, standards, and frameworks applicable to the customer's industry, jurisdiction, and use case. Controls are then configured to meet or exceed those requirements. This is not a one-time exercise — compliance posture is continuously monitored, and customers receive proactive notifications when regulatory changes affect their configuration.

Financial Services

SEC, FINRA, MiFID II, Dodd-Frank, Basel III, SOX

Financial institutions face some of the most stringent regulatory requirements globally. Otonomii meets these through immutable audit trails that satisfy SEC Rule 17a-4 records retention, real-time transaction monitoring compliant with anti-money laundering directives, and model governance frameworks that address SR 11-7 supervisory guidance on model risk management. All algorithmic decision paths are fully explainable and reproducible, a requirement for firms subject to MiFID II best execution obligations. Position-level data lineage ensures that every output can be traced back to its inputs, satisfying regulatory examination requirements.

Healthcare

HIPAA, HITECH, FDA 21 CFR Part 11, HITRUST

Healthcare organizations must protect patient health information (PHI) at every stage of processing. Otonomii provides HIPAA-compliant environments with Business Associate Agreements (BAAs) executed prior to any PHI exposure. Data is encrypted at rest using AES-256 and in transit using TLS 1.3. Access controls enforce minimum necessary access principles. Audit logs capture every access event with user identity, timestamp, and data touched. For clinical decision support applications, the platform supports FDA 21 CFR Part 11 electronic records requirements including validated systems, electronic signatures, and complete audit trails.

Energy and Utilities

NERC CIP, IEC 62443, FERC, TSA Pipeline Security

Critical infrastructure operators face unique requirements around operational technology security and grid reliability. Otonomii deployments for energy clients operate in air-gapped or segmented network configurations that satisfy NERC CIP requirements for electronic security perimeters. Industrial control system integrations follow IEC 62443 security levels. The platform supports FERC audit requirements for market participants and complies with TSA pipeline security directives for cybersecurity incident reporting and response planning.

Government and Defense

FedRAMP, ITAR, CMMC, NIST 800-171, IL4/IL5

Government deployments require adherence to frameworks that go beyond commercial compliance. Otonomii supports FedRAMP High environments with continuous monitoring, vulnerability scanning, and incident response aligned to NIST 800-53 controls. For defense industrial base customers, the platform meets CMMC Level 2 requirements and NIST 800-171 for Controlled Unclassified Information. Export-controlled workloads are isolated in ITAR-compliant environments with US-person-only access restrictions.

Insurance

NAIC Model Laws, Solvency II, IFRS 17, State DOI

Insurers using AI for underwriting, claims, or pricing face increasing regulatory scrutiny around algorithmic fairness and transparency. Otonomii provides model documentation that satisfies NAIC model bulletin requirements for AI governance, bias testing frameworks aligned with state Department of Insurance expectations, and actuarial audit trails that support IFRS 17 measurement model validation. European insurers benefit from Solvency II-aligned risk management integration.

Flexible Deployment

Cloud Deployment

AWS Bedrock Integration

Deploy Otonomii on Amazon Web Services using native Bedrock integration for model hosting, SageMaker for custom model training, and S3 with KMS for encrypted data storage. VPC isolation, PrivateLink connectivity, and AWS Organizations support for multi-account governance. Available in all commercial AWS regions listed below.

GCP Vertex AI Integration

Google Cloud Platform deployment leverages Vertex AI for model serving, BigQuery for analytical workloads, and Cloud KMS for key management. VPC Service Controls create a security perimeter around sensitive data. Supports Assured Workloads for regulated industries requiring data residency guarantees.

Azure Integration

Microsoft Azure deployment uses Azure OpenAI Service for model hosting, Azure Confidential Computing for sensitive workloads, and Azure Key Vault for secrets management. Azure Private Link ensures traffic never traverses the public internet. Supports Azure Government for US public sector customers.

On-Premise Deployment

Hardware Requirements

Minimum: 8-core CPU, 64GB RAM, 1TB NVMe SSD for development. Production: GPU-accelerated inference nodes (NVIDIA A100 or H100 recommended), redundant storage with RAID configuration, 10GbE networking. Air-gapped deployment option available with offline license activation and manual update channels.

Software Stack

Containerized deployment via Kubernetes (any distribution: OpenShift, Rancher, vanilla K8s). Helm charts provided for all components. Supports RHEL 8/9, Ubuntu 20.04/22.04, and SLES 15 as base operating systems. Database: PostgreSQL 15+ (included) or customer-managed instance.

Support Model

On-premise customers receive dedicated support engineering, quarterly on-site health checks, priority patch delivery, and direct escalation to platform engineering. SLA: 15-minute response for Severity 1, 4-hour response for Severity 2.

Hybrid Configuration

Architecture

Training and experimentation workloads run in the cloud for elastic compute access. Inference and decision-making run on-premise where sensitive data resides. A secure synchronization layer (mTLS, certificate-pinned) keeps models and metadata consistent between environments without exposing raw data.

Data Boundary Enforcement

Sensitive data (customer PII, PHI, financial records) never leaves the on-premise perimeter. Only model weights, anonymized telemetry, and aggregated metrics cross the boundary. Data classification policies are enforced at the API gateway level with automatic redaction of sensitive fields.

Scaling

Start with a single on-premise node and burst to cloud during peak demand. Auto-scaling policies respect data residency constraints — cloud nodes only process data that is cleared for cloud processing. Scale from startup (single node) to Fortune 500 (multi-region, thousands of concurrent inference requests) without architectural changes.

Cloud Region Availability

RegionAWSGCPAzureUS East (Virginia)us-east-1us-east4East USUS West (Oregon)us-west-2us-west1West US 2EU West (Ireland)eu-west-1europe-west1West EuropeEU Central (Frankfurt)eu-central-1europe-west3Germany West CentralUK (London)eu-west-2europe-west2UK SouthCanada (Montreal)ca-central-1northamerica-northeast1Canada CentralAPAC (Tokyo)ap-northeast-1asia-northeast1Japan EastAPAC (Sydney)ap-southeast-2australia-southeast1Australia EastAPAC (Singapore)ap-southeast-1asia-southeast1Southeast AsiaIndia (Mumbai)ap-south-1asia-south1Central IndiaBrazil (Sao Paulo)sa-east-1southamerica-east1Brazil SouthMiddle East (Bahrain)me-south-1me-central1UAE North

Safety-First Approach

Data protection at Otonomii operates end-to-end across the entire data lifecycle: ingestion, processing, storage, retrieval, and deletion. At no point does data exist in an unprotected state. This is not achieved through a single mechanism but through layered defenses that operate independently — the failure of any single layer does not expose customer data.

01

Encryption at Rest

All customer data is encrypted using AES-256. Encryption keys are managed through hardware security modules (HSMs) with automatic key rotation on a configurable schedule (default: 90 days). Customer-managed keys (BYOK) are supported for customers requiring direct key custody.

02

Encryption in Transit

All data in transit is protected by TLS 1.3 with forward secrecy. Internal service-to-service communication uses mutual TLS (mTLS) with certificate rotation. No plaintext protocols are permitted within the platform perimeter.

03

Access Controls

Role-based access control (RBAC) with principle of least privilege. Multi-factor authentication (MFA) required for all human access. Service accounts use short-lived tokens with automatic rotation. All access decisions are logged and auditable.

04

Network Security

Production infrastructure operates in isolated VPCs with no direct internet ingress. API traffic enters through a hardened API gateway with rate limiting, DDoS protection, and web application firewall rules. Internal traffic is segmented by sensitivity classification.

05

Input Validation

All customer inputs are validated, sanitized, and classified before processing. Injection attacks, prompt manipulation, and data exfiltration attempts are detected and blocked at the API layer. Suspicious patterns trigger automatic security alerts.

06

Output Filtering

Model outputs pass through safety classifiers before delivery. Content that violates usage policies, contains PII leakage, or exhibits hallucination patterns is flagged, filtered, or blocked depending on the customer's configuration.

Data Residency Deep-Dive

Data residency at Otonomii is not a marketing claim — it is an architecturally enforced guarantee. When a customer selects a data residency region, all four categories of data are bound to that region: raw inputs, processed outputs, learned patterns, and trained model artifacts. No automated process, optimization routine, or operational procedure can cause data to leave its designated region.

Inputs

Customer-submitted data (prompts, documents, records) is received by the regional API endpoint, validated, and stored in the designated region. If a request arrives at a non-designated endpoint, it is rejected — not redirected.

Outputs

All generated responses, decisions, and predictions are computed and stored in the same region as the inputs that produced them. Output caches, logs, and analytics are region-bound.

Patterns

Intermediate representations, embeddings, attention patterns, and derived features remain in the designated region. These artifacts often contain more information than the raw data and are treated with equal or greater protection.

Model Artifacts

Fine-tuned models, adapter weights, and learned parameters created from customer data are stored exclusively in the customer's designated region. Model artifacts are encrypted with customer-specific keys.

Data-at-Rest Protections

All data at rest is encrypted using AES-256-GCM with keys managed through the cloud provider's HSM-backed key management service (AWS KMS, GCP Cloud KMS, Azure Key Vault). Customers may elect to use customer-managed encryption keys (CMEK), in which case Otonomii never has access to the plaintext key material. Key rotation occurs automatically on a configurable schedule. Deletion requests trigger cryptographic erasure — the encryption key is destroyed, rendering the data permanently unrecoverable even if physical media is not immediately wiped.

Data-in-Transit Protections

All data in transit between customer systems and Otonomii endpoints is encrypted using TLS 1.3. Certificate pinning is available for customers requiring additional transport security. Within the platform, all inter-service communication uses mutual TLS with certificates issued by an internal certificate authority. Traffic between availability zones within a region is encrypted. No data traverses the public internet between internal services, even when those services reside in different availability zones.

Inference Residency

Inference residency controls where Otonomii processes requests and generates decisions. This is distinct from data residency — even if data is stored in the correct region, processing that data in a different jurisdiction can violate sovereignty requirements. Otonomii guarantees that compute stays in the designated jurisdiction.

When a customer configures inference residency for a specific region, all model loading, token generation, and post-processing occurs on compute resources physically located in that region. The inference pipeline does not fan out to other regions for load balancing, failover, or optimization purposes unless the customer has explicitly configured multi-region inference with approved region pairs.

Latency Considerations

Regional inference introduces latency tradeoffs. Customers in the same geographic area as their inference region experience optimal latency (typically 20-50ms for API calls, excluding model inference time). Cross-continental requests may experience 100-300ms additional latency. For latency-sensitive applications, Otonomii recommends selecting the inference region closest to the majority of end users, or configuring multi-region inference with geographic routing. Dedicated inference endpoints with reserved capacity are available for customers requiring consistent sub-100ms response times.

Certification Details

SOC 2 Type II

Certified

Security, Availability, Confidentiality, Processing Integrity

SOC 2 Type II audits evaluate the design and operating effectiveness of controls over an extended period (minimum 6 months). Otonomii's SOC 2 covers all four trust service criteria relevant to enterprise AI: Security (protection against unauthorized access to systems and data), Availability (system uptime and performance commitments), Confidentiality (protection of information designated as confidential), and Processing Integrity (system processing is complete, valid, accurate, timely, and authorized). The audit is conducted annually by an independent CPA firm. Reports are available to customers and prospects under NDA.

Auditor: Independent CPA firm (Big Four affiliated)Cycle: Annual audit, continuous monitoring

ISO 27001

Certified

Information Security Management System (ISMS)

ISO 27001 certification covers Otonomii's entire Information Security Management System, including risk assessment methodology, control implementation, internal audit program, and management review processes. The ISMS scope encompasses all production infrastructure, development environments, corporate IT, physical facilities, and personnel security. Annex A controls are implemented across 14 domains: information security policies, organization of information security, human resource security, asset management, access control, cryptography, physical and environmental security, operations security, communications security, system acquisition and development, supplier relationships, incident management, business continuity, and compliance.

Auditor: Accredited ISO certification bodyCycle: 3-year certification cycle with annual surveillance audits

GDPR

Compliant

Full data subject rights, DPA, Standard Contractual Clauses

Otonomii implements all data subject rights under the General Data Protection Regulation: right of access (Article 15), right to rectification (Article 16), right to erasure (Article 17), right to restriction of processing (Article 18), right to data portability (Article 20), and right to object (Article 21). Data Processing Agreements (DPAs) are executed with all customers processing EU personal data. For international transfers, Otonomii relies on European Commission-approved Standard Contractual Clauses (SCCs) supplemented by transfer impact assessments. A Data Protection Officer (DPO) is appointed and accessible at dpo@otonomii.com. Data Protection Impact Assessments (DPIAs) are conducted for high-risk processing activities.

Auditor: Internal DPO with external legal reviewCycle: Continuous compliance with annual DPIA reviews

CCPA / CPRA

Compliant

Consumer rights, opt-out, data broker registration

Otonomii complies with the California Consumer Privacy Act as amended by the California Privacy Rights Act. Consumers have the right to know what personal information is collected, the right to delete personal information, the right to opt out of the sale or sharing of personal information, the right to correct inaccurate personal information, and the right to limit the use and disclosure of sensitive personal information. Otonomii does not sell personal information. Service provider agreements include CCPA-required contractual provisions. Privacy notices are updated to reflect CPRA requirements including automated decision-making disclosures.

Auditor: External privacy counselCycle: Annual review aligned with regulatory updates

HIPAA

Ready

PHI handling, BAA, technical and administrative safeguards

Otonomii provides HIPAA-ready environments for customers who process Protected Health Information (PHI). Business Associate Agreements (BAAs) are executed prior to any PHI processing. Technical safeguards include AES-256 encryption at rest, TLS 1.3 in transit, unique user identification, automatic logoff, and audit controls that log all access to PHI. Administrative safeguards include workforce training, access management procedures, contingency planning, and security incident procedures. Physical safeguards are addressed through cloud provider certifications (AWS, GCP, Azure all maintain independent HIPAA compliance). Breach notification procedures align with the HITECH Act 60-day notification window.

Auditor: Third-party HIPAA assessorCycle: Annual risk assessment and gap analysis

PCI DSS

Certified

Payment card data handling, network segmentation, access controls

For customers processing payment card data through Otonomii, the platform maintains PCI DSS Level 1 compliance. This covers all 12 requirements: firewall configuration, vendor-supplied defaults elimination, stored cardholder data protection, encrypted transmission across open networks, anti-virus maintenance, secure system development, need-to-know access restriction, unique ID assignment, physical access restriction, network monitoring and testing, security policy maintenance, and regular testing of security systems and processes. Payment data is tokenized at the point of entry and never stored in cleartext. Network segmentation isolates cardholder data environments from general processing.

Auditor: Qualified Security Assessor (QSA)Cycle: Annual assessment with quarterly ASV scans

CSA STAR

Certified

Cloud security, shared responsibility, CCM controls

Cloud Security Alliance STAR certification validates Otonomii's cloud security posture against the Cloud Controls Matrix (CCM). The assessment covers 17 domains: application and interface security, audit assurance, business continuity, change control, data security, datacenter security, encryption, governance, human resources, identity and access management, infrastructure and virtualization, interoperability, mobile security, security incident management, supply chain, threat and vulnerability management, and compliance. The STAR registry entry is publicly available, providing transparency to customers evaluating Otonomii's cloud security maturity.

Auditor: CSA-authorized auditorCycle: Annual certification renewal

SEC Rule 17a-4

Compliant

Records retention for broker-dealers, immutable audit trails

SEC Rule 17a-4 requires broker-dealers to preserve certain records in a non-rewriteable, non-erasable format (WORM). Otonomii's audit trail infrastructure satisfies this requirement through append-only log storage with cryptographic integrity verification. All communications, trade decisions, model outputs, and system events are retained for the required periods: 6 years for general business records, 3 years for supplementary records, with the first 2 years in an easily accessible location. Records are indexed and searchable to facilitate regulatory examinations. The retention system has been independently validated for compliance with FINRA Rule 4511 and SEC Rule 17a-3/4.

Auditor: Independent technology assessor with SEC familiarityCycle: Annual validation with continuous monitoring

Audit Process

Customers have the right to verify Otonomii's compliance posture through multiple mechanisms. Transparency is foundational to trust, and we provide several pathways for customers to gain assurance.

01

Self-Service Audit Reports

SOC 2 Type II reports, ISO 27001 certificates, penetration test summaries, and CSA STAR questionnaires are available through the customer trust portal. Enterprise customers receive automatic notifications when new reports are published.

02

Customer-Initiated Audits

Enterprise customers may conduct their own audits of Otonomii's systems, processes, and controls. Audit requests are submitted through the account team and scheduled within 30 business days. Otonomii provides a dedicated audit liaison, access to relevant personnel, and a secure document room for evidence review.

03

Third-Party Audit Reports

In addition to SOC 2 and ISO 27001, Otonomii commissions annual penetration tests by independent security firms, red team exercises, and supply chain security assessments. Summaries of these reports are available to customers under NDA. Full reports are available to customers in regulated industries upon request.

04

Continuous Compliance Monitoring

Otonomii operates a continuous compliance monitoring program that tracks control effectiveness in real time. Deviations from expected control behavior trigger automated alerts and remediation workflows. Customers with compliance dashboard access can view control status, recent findings, and remediation timelines.

05

Regulatory Examination Support

When customers face regulatory examinations, Otonomii provides direct support including document production, technical explanations, and if needed, direct engagement with examiners. We have experience supporting examinations by SEC, OCC, FDIC, state banking regulators, and EU data protection authorities.

Data Processing Agreement Summary

Otonomii's Data Processing Agreement governs how customer personal data is processed when Otonomii acts as a data processor on behalf of the customer (data controller). The DPA is incorporated into the enterprise service agreement by reference and complies with GDPR Article 28 requirements.

Processing Purpose

Customer personal data is processed solely for the purpose of providing the contracted services. No secondary use, no model training on customer data, no profiling beyond what the customer explicitly configures.

Sub-Processors

Otonomii maintains a list of approved sub-processors (cloud infrastructure providers, CDN, monitoring tools). Customers are notified at least 30 days before any new sub-processor is engaged. Customers may object to a new sub-processor; if the objection cannot be resolved, the customer may terminate the affected services without penalty.

Data Deletion

Upon contract termination or customer request, all customer personal data is deleted within 30 days. Deletion is confirmed in writing. Backup copies are purged within 90 days of the deletion request. Cryptographic erasure is used where immediate physical deletion is not feasible.

International Transfers

If personal data is transferred outside the EEA, the transfer is protected by Standard Contractual Clauses (SCCs) adopted by the European Commission. Transfer Impact Assessments are conducted and documented for each transfer destination.

Security Measures

The DPA references Otonomii's Technical and Organizational Measures (TOMs) document, which details encryption standards, access controls, incident response procedures, business continuity plans, and personnel security requirements.

Breach Notification

Otonomii will notify the customer of any personal data breach without undue delay and in any event within 72 hours of becoming aware of the breach. Notification includes the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach.

Audit Rights

The customer has the right to audit Otonomii's compliance with the DPA. Otonomii will contribute to audits by providing access to relevant information, systems, and personnel. Audits may be conducted by the customer or a mandated third-party auditor.

The full Data Processing Agreement is available for review during the enterprise sales process. Customers may request a copy at any time by contacting privacy@otonomii.com or their account representative.