Compliance

Encryption at rest and in transit, SOC 2, GDPR, HIPAA, SOX/PCI-DSS, metric retention, and incident response.

How is data encrypted
  • In transit: TLS 1.3 for all API communications
  • At rest: AES-256 for metrics in the optional hosted backend
  • Self-hosted: Customer-managed KMS keys supported

Since logs stay in your infrastructure, they're protected by your existing encryption controls.

How is the AI agent's access controlled

The agent (Claude or your own LLM) authenticates with a scoped, rotatable, per-environment key, never a shared master credential. It reads aggregated metrics and proposes config changes to a destination you control (a pull request in your repo, a ConfigMap, or stdout); the engine enforces only what you approve. A read-only mode blocks all writes, and every proposed and applied change is recorded with a stable pattern id, reason, and timestamp in history you own. See Agent operation.

Is Log10x SOC 2 certified

Log10x SOC 2 certification is planned for 2026. SIG Lite questionnaire responses are available on request. Contact security@log10x.com.

Organizations that require SOC 2 from all vendors: Deploy self-managed. Log10x becomes a software licensor, not a data processor. No data reaches Log10x systems and your existing compliance controls (SOC 2, HIPAA, PCI DSS) apply directly.

Optional hosted metrics: If you opt into the hosted metrics backend (mostly for evaluation), it runs on AWS Managed Grafana and Prometheus, which maintain SOC 2 Type II, ISO 27001, and PCI DSS compliance. Only aggregated metrics (event counts, byte volumes) reach it, never log content, and they auto-expire after 90 days.

How does Log10x support GDPR compliance

DPA available on request. Since log data never leaves your infrastructure, it never crosses borders.

Deploy in your EU infrastructure and data stays in the EU; the agent, engine, and your metrics store all run in your region. The only US-bound piece is the optional hosted metrics backend (aggregated metrics only); point metrics at your own EU time-series database to keep everything in region.

DPA key terms: Data scope limited to aggregated metrics only (no log content, no PII). Sub-processors: AWS Managed Services (infrastructure), Auth0 (authentication). Deletion on request via security@log10x.com. Contact us for the full DPA.

Can Log10x support HIPAA requirements

BAA available for enterprise customers. Data scope limited to aggregated metrics, no PHI content. Sub-processors: AWS Managed Services (infrastructure), Auth0 (authentication). Contact security@log10x.com.

All log processing happens in your environment, so PHI never leaves your HIPAA-compliant infrastructure. Log10x only receives aggregate metrics, no PHI content.

What about SOX and PCI-DSS

Audit trails are maintained entirely in your infrastructure.

Log10x doesn't process or store log content, placing us outside your CDE (Cardholder Data Environment). Your existing controls apply. The architecture simplifies compliance scope.

What is your incident response and breach notification process

72-hour breach notification (GDPR-aligned). If the hosted metrics backend is compromised:

  1. Scope: Limited to aggregated metrics (event counts, byte volumes). No log content is ever stored there.
  2. Notification: Affected customers notified via email within 72 hours.
  3. Status: Real-time updates at status.log10x.com.
  4. Contact: security@log10x.com for incident response details.

Self-managed: Log10x has no access to your infrastructure. Incident response is handled entirely by your team.