Skip to content
microfiber

Security & compliance

The AI your compliance officer can sign off on.

This page does double duty: it reassures the gatekeeper and gives the champion ammunition to sell internally. We map Microfiber's controls directly to what your firm's WISP requires.

Data custody, tier-honest

Your document corpus always lives inside a boundary we control, on our hardware — this never changes across tiers. Never used for training; never commingled across tenants. What differs by tier is what reaches the model at query time:

Standard (managed inference)

Most firms

Your documents stay in our controlled environment. At query time, only the relevant excerpts needed to answer are processed by our contracted inference provider under a binding no-retention, no-training agreement. The provider is contractually bound and overseeable — documentable for your WISP — but those excerpts do transit to it. (It is not a public model API; it is a vetted, contracted sub-processor.)

Dedicated (owned-hardware, closed-loop)

Strictest

Nothing leaves the controlled environment — retrieval and inference both happen inside it. This is the only tier on which “your data never leaves” is literally true; the right tier for the strictest custody requirements.

The controls

Isolation

Per-tenant, dedicated environments — your documents and the search index built from them are never commingled with another firm's.

Encryption

TLS in transit; strong (AES-256-class) encryption at rest — including the embeddings / search index, which we treat as sensitive client-derived data, not just metadata.

One hardened front door

The API gateway is the only internet-facing component. The vector store and inference backends sit on a private network behind it — there is no public path to your documents.

Logging & audit trail

Metadata only (which tenant, which model, token counts, latency, status) — never prompt or response content. Your firm gets a browsable, per-tenant audit log: proof a request happened, with nothing sensitive captured.

Sub-processor transparency

We name our infrastructure providers in the DPA — the contracted inference/hosting providers for the managed tier, and a separate provider for control-plane metadata only. Naming the hardware layer reveals nothing about your data, or about how Microfiber retrieves and reasons over it.

Portability / no lock-in

Export your data and (on the owned tier) your model weights anytime; certificate of destruction on exit. Portability is a feature, never lock-in by pain.

Uptime

[SLA terms — finalize with contracts / legal review.] Custody is architectural and absolute; uptime is a service commitment.

Custody is architectural03

A boundary in the architecture — not a promise in a contract.

Your document corpus stays inside a boundary we control; what reaches the model at query time depends on your tier. Custody is architectural and attestable. Uptime is a separate, service-level commitment.

Your firm

app + users · api.microfiber.[tld] with your key

Microfiber boundary · data plane per-tenant isolation
Gateway

auth · routing · metadata-only logging

Retrieval (RAG)

your documents · cited answers

Your document corpus — stays inside a boundary we control.

stateless compute calls only

prompt + retrieved chunks → ← answer

Inference backend

stateless utility · stores nothing · swappable

control plane — separated by designportal · billing · login · holds no client data
A customer's application calls Microfiber's private endpoint with their own key. Inside an Microfiber-controlled boundary — the data plane — a gateway handles auth, routing, and metadata-only logging, and a retrieval (RAG) layer assembles prompts grounded in the firm's own documents and returns cited answers. Per-tenant isolation keeps every firm separate. The firm's document corpus stays inside this boundary we control. On the managed tier, only the stateless excerpts needed to answer — a prompt plus retrieved chunks — transit to a contracted inference provider under a no-retention agreement and are discarded after the response; on the owned-hardware tier, inference runs inside the boundary, so nothing transits at all. The control plane (portal, billing, login) is separated by design and holds no client data.
Per-tenant isolation

The control-plane / data-plane split — the trust story, made architectural.

WISP mapping

What your WISP requires → how Microfiber maps to it.

Directional mapping, pending legal review against primary sources — not legal advice. Microfiber is the vetted third party for the AI that touches client data. Controls your firm still owns — a designated Qualified Individual, risk assessments, an incident-response plan, breach notification — remain your responsibility.

  • Your obligation (FTC Safeguards Rule)

    Oversee third parties that touch client data

    How Microfiber helps

    A vettable, contractually-bound provider with attestable custody — DPA + documented controls.

    What your firm still owns

    Selecting Microfiber; keeping the DPA on file; periodic review.

  • Your obligation (FTC Safeguards Rule)

    Encryption in transit & at rest

    How Microfiber helps

    TLS in transit; strong at-rest encryption across the data plane.

    What your firm still owns

    Encryption on your own endpoints.

  • Your obligation (FTC Safeguards Rule)

    Access controls

    How Microfiber helps

    Per-tenant isolation; scoped API keys; least-privilege.

    What your firm still owns

    User / role management inside your firm.

  • Your obligation (FTC Safeguards Rule)

    Multi-factor authentication

    How Microfiber helps

    MFA on the Microfiber portal.

    What your firm still owns

    MFA on your own systems.

  • Your obligation (FTC Safeguards Rule)

    Monitoring & logging

    How Microfiber helps

    Metadata-only request logging; per-tenant audit log.

    What your firm still owns

    Your own monitoring program.

  • Your obligation (FTC Safeguards Rule)

    Secure disposal

    How Microfiber helps

    Export + certificate of destruction on offboarding.

    What your firm still owns

    Your broader retention policy.

  • Your obligation (FTC Safeguards Rule)

    Data not used for AI training

    How Microfiber helps

    Contractual no-training / no-retention terms.

    What your firm still owns

    Verifying the term is in the signed agreement.

For the gatekeeper

Bring your WISP. We'll map to it.

The fastest way to satisfy your compliance gatekeeper is to walk the mapping line by line against your information security plan — in a private demo, on sanitized data first.

Book a private demo