Trust & Security

Product Security

Enterprise-grade security architecture, built for the most demanding industries.

Complexio operates within your infrastructure, processes data under your control, and enforces multi-layered protections across the data lifecycle. We don't just meet enterprise security expectations — we were built around them.

Your infrastructure — your control

Complexio offers two product tiers, each designed to keep data under customer control:

Enterprise Automator

  • Deployed entirely within customer-controlled infrastructure
  • All data processing, including AI inference, runs on-premise using customer-hosted models
  • No customer data leaves the customer environment during processing
  • Supports both hybrid cloud and on-premise deployments

Stevie (Interactive AI)

  • All Stevie components are deployed within customer-controlled infrastructure
  • Customer data sources remain within the customer environment at all times
  • Real-time AI inference is provided via secure API integration within the customer's cloud environment
  • Query activity is logged within the customer environment

Defence in depth for every byte

Dual-Security Processing Model

All ingested data is processed in two security contexts:

  • High-security context — raw data with full PII, stored encrypted, access restricted to authorised automated processes only.
  • Standard-security context — sanitised, PII-masked data used by the AI inference layer and end-user queries.

Encryption

  • All data in transit is protected with TLS 1.2+ encryption.
  • All data at rest is encrypted using AES encryption with customer-managed or platform-managed keys.
  • Key management is handled via the customer’s cloud provider KMS (e.g. Azure Key Vault).

Ingestion Controls

  • Source whitelisting — only approved data sources are connected.
  • Domain exclusions — customers can exclude specific mailboxes, folders, or communication channels.
  • Keyphrase filtering — automatic exclusion of content matching sensitive keyphrases.
  • Sensitivity labels — integration with classification labelling systems to exclude classified content

PII Masking

  • Content classification and relevance filtering during ingestion.
  • Automatic PII masking before data enters the standard-security processing context.
  • Deterministic and AI-based detection methods to maximise coverage.

Built to operate inside your security perimeter

  • Integration with customer IAM systems (e.g. Microsoft Entra ID) for centralised identity management.
  • Complexio operates as a guest workload within the customer’s tenant — we do not create or manage user identities.
  • Platform access is managed through the customer's identity provider, with data-level access controls under active development.
  • Administrative access to production environments requires multi-factor authentication and is limited to authorised Complexio personnel under NDA.
  • Access and administrative actions are logged and available to the customer.

AI that protects your people

Stevie, our interactive AI, is designed to answer business questions — not to expose personal information. Privacy is enforced at two levels:

Query-Time Controls

  • Stevie accesses only the sanitised, PII-masked data in the standard-security context.
  • Access to query specific data sets is governed by role-based permissions.

Output Controls

  • Responses are subject to output controls designed to detect and redact any residual personal data.
  • A three-layer output sanitisation pipeline (deterministic rules, LLM-based rewriting, regex validation) minimises the risk of personal data surfacing in AI responses.

Security is built in, not bolted on

  • Vulnerability scanning — automated SAST and dependency scanning integrated into our CI/CD pipeline.
  • Environment separation — strict separation between development, staging, and production environments with no shared credentials.
  • Incident response — a documented incident response plan with defined roles, communication protocols, and post-incident review processes.
  • Backups & recovery — automated backups with tested recovery procedures and defined RPO/RTO targets.
  • Security training — all Complexio employees complete security awareness training upon onboarding and annually thereafter.