Quantify ROI from co-managed network services including monitoring, incident response, and lifecycle management savings.
Learn More →
Aegis InsightOps Secure / Trust & Security
Your data never leaves your tenancy. Our architecture is built around that.
The Secure platform is designed from the data plane outward. Your telemetry stays in your AWS environment, private AI inference runs against your data only, and every action is logged, scoped, and auditable.
Data plane
Your AWS tenancy
AI inference
Private, no training
Identity
Your IdP, your RBAC
Attestation
SOC 2 in progress
Where your data lives
The data plane is in your tenancy. Not ours.
Aegis InsightOps Secure uses a hybrid architecture. The intelligence layer runs in IVI's AWS control plane. Your telemetry, prompts, and query results live in your AWS tenancy and never leave it. Cross-account communication uses AWS PrivateLink; there is no public internet exposure for your data.
Your AWS tenancy (data plane)
- Your security telemetry, at rest in your accounts
- Cribl normalization workers you control
- OpenSearch indices encrypted with your KMS keys
- Audit logs written to your write-only S3 bucket
- All prompts, queries, and model responses
AWS PrivateLink
No public internet
IVI AWS control plane
- Authentication and RBAC orchestration
- Platform configuration and tenant metadata
- Integration templates and connector library
- Aegis engineer access via break-glass workflow
- No customer telemetry, ever
How AI is used, and how it isn't
Private inference on Amazon Bedrock. No training on your data.
The language model behind Secure runs on Amazon Bedrock within the AWS service boundary. Every contractual and technical guarantee Bedrock provides about data handling is inherited by Secure.
01
No customer data trains any model.
Bedrock's data handling contract prohibits training on customer inputs or outputs. Your prompts, queries, and response content are not used to improve the underlying foundation models. This is contractual with AWS, not just a Secure setting.
02
Inference runs in your region.
Bedrock requests are routed to the AWS region you specify during onboarding. Your queries and your data never traverse regions you haven't approved. Cross-region inference is off by default.
03
Guardrails filter PII and sensitive content.
Bedrock Guardrails run between your application and the model, redacting or blocking PII, financial identifiers, and other sensitive patterns before they reach the model. Guardrails are configurable per customer during deployment.
04
Prompts and responses stay yours.
Every prompt submitted and every response generated is logged to audit storage in your tenancy. The logs are queryable by your team and never exposed to other tenants. IVI engineers cannot access them without a break-glass workflow you approve.
Identity and access
Your IdP, your RBAC, your audit trail.
Secure does not issue user accounts. Every person who touches the platform does so through your identity provider. Every query is attributable to a named user. Every access is logged.
-
Federation with your IdPSAML 2.0 and OIDC federation with Okta, Microsoft Entra ID, Ping, and any standards-compliant IdP. We do not issue local accounts. If an employee leaves your organization, their access to Secure terminates the moment you disable them in your IdP.
-
RBAC mirrors your organizationSecure inherits your group membership, role assignments, and access policies. Your security team can see security data. Your IT team can see IT data. Your SOC analysts see what their role permits. Nothing bleeds across.
-
Named-user attributionEvery query, every investigation, every action is attributed to a specific identity. Audit logs capture who asked what, when, and what they received in response. No service accounts run queries on behalf of users.
-
Break-glass access for Aegis engineersIVI engineers do not have standing access to your environment. When operational work requires access, a time-bound role is assumed through a break-glass workflow with your approval. Every session is recorded end to end, and the recording is yours.
-
Audit log immutabilityAudit logs are written to an S3 bucket in your tenancy configured as write-only and object-lock enabled. Logs cannot be modified or deleted by either IVI or your own operators for the retention period you define.
Compliance and attestations
Honest about where we are, and what we inherit.
Secure is a newer service. We are deliberate about what we can and cannot claim, and we document the infrastructure-layer attestations we inherit from AWS separately from the service-layer attestations we are pursuing ourselves.
Inherited from AWS
Infrastructure-layer attestations
Because Secure runs entirely on AWS (Bedrock, OpenSearch, Aurora, S3, EKS, and related services), it inherits AWS's infrastructure-layer attestations. These cover physical security, datacenter operations, and AWS service-level controls.
- SOC 1 Type II, SOC 2 Type II, SOC 3
- ISO 27001, ISO 27017, ISO 27018, ISO 27701
- PCI DSS Level 1
- HITRUST CSF
- FedRAMP Moderate and High (where AWS region supports)
- HIPAA-eligible services under AWS BAA
AWS attestation documentation is available through AWS Artifact under your own AWS account.
IVI service-layer
Our own attestations
IVI is pursuing a SOC 2 Type II attestation that covers the Aegis platform controls specific to IVI: personnel access, change management, customer onboarding and offboarding, incident response, and tenant isolation.
- SOC 2 Type II: in progress
- HITRUST CSF: architecture-aligned (not certified)
- NIST CSF: aligned control framework
- Evidence package available under NDA during procurement review
We will not claim attestations we don't hold. If a control is specifically required for your buying decision, ask during the assessment and we will tell you straight where we sit.
Healthcare customers
HITRUST-aligned architecture for healthcare environments
Secure's architecture is designed to be deployable within a HITRUST CSF-aligned environment using HIPAA-eligible AWS services under your existing AWS BAA. IVI does not currently execute its own BAA as a service provider; customers who require a direct BAA with IVI should raise this during the assessment so we can scope the engagement accordingly.
Data handling
What we store, where we store it, and how long.
Our goal is that nothing about data handling should be a surprise. If the answer to any of the questions below is not what you need, tell us during the assessment and we will scope accordingly.
Security telemetry
Stored in your AWS tenancy. Encrypted at rest using KMS keys you own. Never leaves your accounts.
Prompts and model responses
Stored in your tenancy audit log. Not used for training. Accessible to you, not to IVI without a break-glass request.
Platform metadata
Tenant configuration, integration settings, and RBAC mappings are stored in the IVI control plane. No customer telemetry. Replicated across availability zones.
Encryption in transit
TLS 1.3 for all external connections. AWS PrivateLink for cross-account traffic. Zero public internet exposure for customer telemetry.
Encryption at rest
AWS KMS customer-managed keys per tenant. You hold the key material, you control rotation, you can revoke access.
Data retention
Configurable per customer. Hot, warm, and cold tier retention are set during the assessment based on your compliance requirements. No published defaults; this is a conversation.
Deletion on offboarding
Terminating the service removes IVI control-plane metadata within 30 days. Your data in your tenancy is yours to retain or delete per your own policy; the service has no ability to reach in after offboarding.
Backups
Operational backups of platform metadata are retained for disaster recovery per AWS best practice. No customer telemetry in IVI backups.
Operational security
How Aegis engineers operate. How IVI operates.
A managed service is only as secure as the team operating it. We treat our own operational posture with the same rigor we expect of our customers.
-
Personnel vettingBackground checks for every engineer with potential access to customer environments. Annual security training. Non-disclosure obligations in employment contracts.
-
Change managementInfrastructure changes flow through IaC pull requests with peer review. Production deployments require approval from a second engineer. Emergency change procedures are documented and audited.
-
Vulnerability managementContinuous scanning of IVI platform images and dependencies. Critical vulnerabilities patched within contractual SLAs. Penetration testing by an independent third party on a regular cadence.
-
Incident response24/7 monitoring of the Aegis control plane. Customer notification for incidents affecting service availability or data handling within 72 hours, consistent with common breach-notification norms. Post-incident reports delivered to affected customers.
-
Access to customer environmentsNo standing access. Every engineer session into a customer environment is initiated through a break-glass workflow, authenticated through customer SSO, time-bound, and session-recorded. Recordings are retained per customer retention policy.
Subprocessors
Two named subprocessors. Full list in the DPA.
Secure uses a small number of named subprocessors to deliver the service. The two foundational ones are named publicly here. The full subprocessor inventory, including any that support operational tooling, is maintained in our Data Processing Addendum available during procurement review.
Amazon Web Services (AWS)
Infrastructure, AI inference, data storage
AWS is the cloud platform under Secure. Bedrock provides AI inference, OpenSearch and S3 provide data storage, and AWS Organizations provides tenant isolation. Data stays in the AWS region you select.
Cribl
Data normalization and routing
Cribl Stream is the data pipeline that normalizes security telemetry before it enters the intelligence layer. Cribl workers run within your AWS tenancy; Cribl the company does not receive your data.
Changes to the subprocessor list trigger advance notice per the Data Processing Addendum. Customers may object to material changes within the notice period.
Questions security teams ask
The things TPRM, GRC, and CISO teams raise during review.
Where does the AI model physically run? +
Amazon Bedrock, in the AWS region you specify during onboarding. The model is not deployed on IVI infrastructure; it's an AWS-managed service that runs in your selected region. Cross-region inference is off by default.
Who has access to our prompts and queries? +
Only your users, through your IdP. Prompts and responses are logged to audit storage in your AWS tenancy. IVI engineers cannot read them without a break-glass workflow that requires your approval and records the full session.
Do your engineers have standing access to our environment? +
No. Every engineer session into a customer environment is initiated through a break-glass workflow with your approval, authenticated through your SSO, time-bound, and session-recorded. No always-on access, ever.
Can we run Secure in GovCloud or another isolated region? +
Secure deploys into the AWS region family you specify. GovCloud-specific deployment is possible where AWS Bedrock and the other required services are available, subject to scoping. Raise the requirement during the assessment and we will confirm feasibility for your specific region and compliance scope.
What happens to our data if we terminate the service? +
Your data stays where it always was: in your AWS tenancy. Terminating Secure removes IVI's control-plane access within 30 days and deletes IVI-side metadata. The telemetry, logs, and audit records in your tenancy are yours to retain or delete per your own policies; IVI has no ability to touch them after offboarding.
Is customer data used to train AI models? +
No. AWS Bedrock's data handling contract prohibits training on customer inputs or outputs. Your prompts, queries, and model responses are not used to train foundation models. This is a contractual guarantee from AWS, not an IVI setting that could change.
Do you have a SOC 2 report? +
IVI's SOC 2 Type II attestation for the Aegis platform is in progress. AWS's SOC 2 Type II covers the infrastructure layer and is available through AWS Artifact under your own AWS account. During procurement review, we provide our current evidence package under NDA and discuss attestation timelines if they are material to your decision.
Can we get a DPA, BAA, or other data-specific agreement? +
DPA: yes, available during procurement review. BAA: we do not currently execute our own BAA as a service provider. The Secure architecture is designed to be deployable within HIPAA-eligible AWS services under your existing AWS BAA; the implementation pattern is scoped during the assessment. Customers who require a direct BAA with IVI should raise this during scoping so we can address it before SOW.
What is your breach notification SLA? +
Customer notification for security incidents affecting data handling or confidentiality within 72 hours of verified detection, consistent with common breach-notification norms. Faster notification for customers subject to regulatory regimes that require shorter windows (e.g., New York DFS, HIPAA in certain scenarios) can be contractually agreed during scoping.
Do you perform penetration testing? +
Independent third-party penetration testing of the Aegis platform on a regular cadence. Summary results available under NDA during procurement review. Customer-specific penetration testing of their tenant (e.g., to satisfy internal security requirements) is accommodated under a pre-notified testing window.
Request documentation
Evaluating Secure? Here is what we can share.
This form routes to our security and trust operations. If you are in the middle of procurement review, TPRM assessment, or vendor intake, tell us what you need and we will get back within one business day with what we can share under NDA.
- Data Processing Addendum (DPA)
- Current security and compliance evidence package under NDA
- Architecture diagrams and data flow documentation
- Subprocessor inventory and change policy
- Answers to your standard TPRM or CAIQ questionnaire
Resource Directory
78 resources
Featured Resources
Identify network security gaps across 8 critical domains using a structured 26-question assessment framework.
Network Security
Read Guide →
All Resources
Network Security
Learn More →
Connect your security tools to InsightOps Secure for unified visibility and faster threat investigation across your entire infrastructure.
Network Security
integrations
security tools
Learn More →
Understand data residency, AI governance, and AWS compliance inheritance for enterprise security assurance.
Network Security
data-security
compliance
Learn More →
Master enterprise IT documentation standards to ensure technical accuracy, consistency, and clarity across your organization.
Managed Services
documentation
quality assurance
Read Guide →
Deploy sub-second DDoS mitigation with always-on inline protection and real-time attack response without cloud latency.
Network Security
DDoS Protection
Network Security
Learn More →
Detect and neutralize DDoS attacks in milliseconds with integrated edge defense and real-time network posture visibility.
Network Security
DDoS mitigation
edge security
Learn More →
Discover which IT operations model—co-managed, fully managed, or in-house—aligns with your infrastructure needs and budget.
Managed Services
IT operations
managed services
Read Guide →
Secure remote application access with integrated data loss prevention and session recording for enterprise compliance.
Network Security
Prisma Access
Browser Security
Learn More →
Protect corporate data by isolating web content execution from endpoints and enforcing session-level security controls.
Network Security
browser isolation
endpoint protection
Learn More →
Secure BYOD and contractor access to corporate applications without device management or agent installation.
Network Security
browser isolation
zero trust
Learn More →
Learn how to evaluate and select enterprise secure browser platforms that align with your architecture and user needs.
Network Security
secure browser
enterprise security
Read Guide →
Deploy and migrate Palo Alto NGFWs efficiently with expert managed services and Panorama optimization.
Network Security
Palo Alto Networks
NGFW
Learn More →
Implement distributed micro-segmentation to eliminate lateral movement and enforce zero trust principles across your data center infrastructure.
Network Security
micro-segmentation
zero-trust
Learn More →
Achieve sub-second DDoS protection with inline mitigation that blocks attacks in milliseconds without cloud latency.
Network Security
DDoS mitigation
network security
Learn More →
Design and validate resilient networks with failover strategies and recovery procedures to minimize downtime and protect business continuity.
Managed Services
network resilience
business continuity
Learn More →
Centralize firewall management across your entire infrastructure with unified policy control and streamlined operations.
Network Security
Palo Alto Networks
Panorama
Learn More →
Minimize downtime and security risks with proactive incident response and automated IT remediation services.
Managed Services
incident response
IT remediation
Learn More →
Simplify network management and reduce operational complexity with fully managed, scalable network services.
Managed Services
NaaS
managed networking
Learn More →
Ensure patient safety through reliable, secure IT infrastructure purpose-built for healthcare compliance and operational continuity.
Managed Services
healthcare
network reliability
Learn More →
Achieve secure, compliant IT infrastructure with automated operations tailored for regulated financial environments.
Managed Services
financial services
compliance automation
Learn More →
Achieve manufacturing uptime and OT/IT convergence with engineering-grade network infrastructure and managed operations.
Managed Services
manufacturing
OT/IT convergence
Learn More →
Detect lateral movement and insider threats with real-time network traffic analysis and integrated SecOps response.
Network Security
threat detection
network visibility
Learn More →
Deploy integrated cybersecurity defenses including firewalls, NAC, NDR, and SASE to protect your enterprise from advanced threats.
Network Security
Firewalls
SASE
Learn More →
Deploy integrated cybersecurity defenses including firewalls, NAC, NDR, and SASE to strengthen enterprise threat protection.
Network Security
Firewalls
SASE
Learn More →
Minimize security risks and ensure compliance by automating infrastructure software lifecycle management and critical patch deployment.
Managed Services
lifecycle management
patch management
Learn More →
Minimize downtime with real-time incident response, automated triage, and rapid remediation powered by intelligent monitoring and escalation.
Managed Services
incident response
infrastructure monitoring
Learn More →
Discover full-stack IT solutions combining hardware, software, design, and lifecycle management with expert professional support.
Managed Services
managed IT services
full-stack solutions
Learn More →
Unify your security defenses with next-generation firewalls, cloud-native protection, and centralized threat detection.
Network Security
NGFW
XDR
Learn More →
Enhance your infrastructure with US-based co-managed IT services that complement your team and automate operations 24/7.
Managed Services
co-managed services
IT automation
Learn More →
Discover how co-managed enterprise IT solutions deliver infrastructure, cloud, and observability with control and scale.
Managed Services
enterprise IT
co-managed services
Learn More →
Learn how NDR detects hidden threats, closes visibility gaps, and strengthens your security posture alongside EDR and SIEM.
Network Security
network detection and response
threat detection
Read Guide →
Learn the essential qualities that distinguish top consulting firms and drive measurable business outcomes.
Managed Services
consulting
business strategy
Read Article →
Master Cloud Privileged Access Management to secure modern enterprise infrastructure with zero-trust principles and just-in-time access.
Network Security
privileged access management
cloud security
Read Guide →
Identify and stop threats in real-time with advanced network traffic analysis and integrated security operations.
Network Security
threat detection
network security
Learn More →
Discover how managed network services enhance security, reduce costs, and streamline IT operations for enterprise organizations.
Managed Services
managed services
network management
Learn More →
Leverage architecture and advisory services to design confident infrastructure solutions delivering measurable business value.
Managed Services
architecture services
advisory consulting
Learn More →
Discover how professional IT services drive productivity, security, and sustainable business growth for modern organizations.
Managed Services
IT support
business productivity
Read Guide →
Eliminate firewall policy risks and align your security posture with Zero Trust and compliance standards through expert assessment.
Network Security
firewall audit
security policy
Learn More →
Optimize your Palo Alto Networks deployment with expert management and maximize security infrastructure performance.
Network Security
Palo Alto Networks
NGFW
Learn More →
Accelerate network modernization and cloud transformation with expert engineering services tailored to your infrastructure needs.
Managed Services
professional services
network modernization
Learn More →
Discover how AEGIS NaaS delivers secure, fully managed branch networks built on Arista and Cato platforms.
Managed Services
Network as a Service
Branch Networking
Learn More →
Discover how expert IT consulting transforms your technology strategy and accelerates business growth through tailored solutions.
Managed Services
IT strategy
consulting services
Learn More →
Identify key qualities and evaluation criteria to select the right technology consulting partner for your organization's needs.
Managed Services
consulting
vendor selection
Read Guide →
Implement Zero Trust security through automated network segmentation and policy enforcement across hybrid cloud environments.
Network Security
Zero Trust
Network Segmentation
Learn More →
Proactively manage infrastructure software lifecycles and eliminate CVE vulnerabilities with expert patch guidance.
Managed Services
lifecycle management
patch management
Learn More →
Deploy Palo Alto Networks security solutions on AWS to protect cloud infrastructure with NGFWs, Prisma Cloud, and managed expertise.
Network Security
AWS Security
Cloud Protection
Learn More →
Seamlessly migrate to modern firewalls with Zero Trust alignment and expert-led policy transformation minimizing business risk.
Network Security
firewall migration
Zero Trust
Learn More →
Discover integrated solutions for customer experience, infrastructure automation, and cloud operations tailored to your business needs.
Managed Services
Amazon Connect
Cloud Operations
Learn More →
Discover how integrated IT services and solutions drive operational efficiency, cost savings, and strategic business alignment.
Managed Services
IT services
managed services
Learn More →
Discover what MSPs do, how they differ by type, and which managed services model fits your organization's needs.
Managed Services
MSP definition
managed IT services
Read Guide →
Simplify network operations with fully managed branch and campus networking, integrated security, and observability delivered as a service.
Managed Services
NaaS
managed networking
Learn More →
Optimize technology spending with flexible financial solutions that align IT investments to your budget constraints.
Managed Services
IT financing
technology budgeting
Learn More →
Discover how Arista DMF and AI-driven NDR deliver pervasive East-West visibility and intelligent defense for zero trust data center security.
Network Security
Zero Trust
Data Center Security
Learn More →
Master Cloud Privileged Access Management fundamentals to secure your cloud infrastructure against unauthorized access threats.
Network Security
CPAM
Cloud Security
Read Guide →
Align IT strategy with business goals through expert advisory services that clarify complex technology decisions.
Managed Services
IT Strategy
Technology Advisory
Learn More →
Master cloud privileged access management by understanding the 7 critical challenges and proven CPAM solutions that protect your infrastructure.
Network Security
Cloud Security
Privileged Access Management
Read Guide →
Optimize infrastructure visibility and incident response with co-managed IT services tailored to your enterprise complexity.
Managed Services
co-managed services
infrastructure observability
Learn More →
Detect and respond to network threats in real-time with identity-aware security enforcement across hybrid cloud environments.
Network Security
threat detection
zero trust
Learn More →
Discover how modern out-of-band management platforms eliminate legacy security vulnerabilities in remote infrastructure access.
Network Security
out-of-band management
network security
Read Article →
Discover how unified IAM with SSO and Zero Trust principles secures hybrid infrastructure across multiple platforms.
Network Security
Identity & Access Management
Zero Trust
Read Article →
Deploy Cloud Privileged Access Management smoothly with a proven framework that minimizes operational disruption and accelerates Zero Trust adoption.
Network Security
CPAM
Cloud Security
Read Article →
Achieve flexible co-managed IT operations with integrated visibility, incident response, and lifecycle management across your entire infrastructure.
Managed Services
co-managed services
operating model
Learn More →
Implement zero-trust network access control with Arista Agni to secure hybrid environments while managing complexity effectively.
Network Security
Zero Trust
Network Access Control
Learn More →
Augment your IT team with enterprise managed services that fill resource gaps and reduce operational complexity.
Managed Services
managed IT services
IT support
Learn More →
Master cloud PAM implementation to enforce least privilege access, automate credential management, and achieve compliance visibility across cloud infrastructure.
Network Security
privileged access management
cloud security
Read Guide →
Optimize IT asset lifecycles with scalable, identity-aware management across hybrid cloud environments.
Managed Services
asset management
lifecycle services
Learn More →
Discover outcome-focused IT services spanning architecture, automation, security, and customer experience for measurable business impact.
Managed Services
IT Services
Infrastructure Management
Learn More →
Discover how managed services and NaaS reduce network complexity while enabling secure, modern infrastructure.
Managed Services
managed services
NaaS
Read Article →
Learn how managed networking services eliminate hidden costs and team burnout while enabling strategic focus.
Managed Services
NaaS
cost reduction
Read Article →
Reduce VPN connection failures by implementing Host Scan workarounds that eliminate common user errors in Cisco AnyConnect deployments.
Network Security
Cisco AnyConnect
VPN
Read Article →
Automate compliance audits and eliminate access control chaos with continuous privileged access management.
Network Security
Cloud Security
Privileged Access Management
Read Article →
Discover why legacy PAM fails in cloud environments and how CPAM modernizes privileged access security.
Network Security
privileged access management
cloud security
Read Article →
Learn how Aegis NaaS delivers strategic network management with complete visibility and control beyond traditional outsourcing models.
Managed Services
Network-as-a-Service
Managed Networks
Read Article →
Eliminate persistent admin access vulnerabilities by implementing Zero Standing Privileges for cloud-native security.
Network Security
zero trust
cloud security
Read Article →
Accelerate DevOps delivery while maintaining security through privileged access management and zero standing privileges.
Network Security
CPAM
Just-in-Time Access
Read Article →
Discover how privileged access management secures machine identities and eliminates blind spots in cloud infrastructure.
Network Security
machine identity
privileged access management
Read Article →