Compliance & Security by Design

Secronyx is architected from the ground up for regulatory compliance, data minimisation, and complete auditability. We don't ask for trust. We provide evidence.

Core Security Principles

The platform is built on these non-negotiable principles

Explicit, Auditable Data Access

  • The AI cannot access machines implicitly
  • Every data access requires a specific diagnostic query
  • Every query and response is fully logged

Read-Only Execution

  • The endpoint agent cannot modify system state
  • No write operations, command execution, or configuration changes
  • Diagnostic queries are finite, versioned, and deterministic

AI Outside the Trust Boundary

  • No general-purpose AI runtime executes on customer machines
  • AI reasoning occurs centrally
  • Endpoints expose only a constrained diagnostic interface

Data Minimisation by Design

  • Only the minimum data required to answer a question is returned
  • No bulk telemetry, background scraping, or speculative collection
  • Data remains on the endpoint unless explicitly requested

Full Accountability & Traceability

  • Every diagnostic session produces a complete audit trail
  • All AI actions are attributable, reviewable, and replayable
  • Audit logs are immutable and available for export

The Key Distinction

Traditional tools collect everything because they don't know what will matter. Secronyx asks the right questions and collects only what matters.

Standards & Regulatory Alignment

Designed to support compliance with major security and privacy frameworks

ISO

ISO/IEC 27001:2022

A.5.1 - Information security policies Defined read-only, query-based access model
A.5.15 - Access control Explicit, least-privilege diagnostic queries
A.8.15 - Logging Complete AI request/response audit trail
A.8.2 - Privileged access No privileged or write access permitted
A.8.5 - Secure authentication Authenticated, attributable sessions
A.8.16 - Monitoring activities Auditable, scoped diagnostics

The platform exceeds ISO expectations by auditing AI intent, not just user actions.

NIST

NIST SP 800-53 (Rev. 5)

AC-6 - Least Privilege Finite, read-only query surface
AU-2 - Event Logging Full diagnostic event logging
AU-3 - Content of Audit Records Query, response, actor, timestamps1
AU-12 - Audit Generation Automatic, non-optional logging
AU-9 - Protection of Audit Information Tamper-evident, protected audit records
AI

NIST AI Risk Management Framework

Govern Explicit AI boundaries and auditability
Measure Observable AI inputs and outputs
Manage Controlled AI-to-system interaction
Map Clear AI/system trust boundaries
UK

UK Public Sector Alignment

NCSC Principles

  • Least privilege: No write access, no blanket visibility
  • Defence in depth: AI kept outside endpoint trust boundary
  • Audit and monitoring: Full, reviewable diagnostic trail

UK GDPR

  • Article 5(1)(c) - Data minimisation: Only queried data is processed
  • Article 30 - Records of processing: Diagnostic audit logs support Article 30 documentation2

UK Government Service Standard – Aligned Themes3

  • Clear accountability
  • Evidence-based assurance
  • No opaque automation
  • Deterministic, reviewable behaviour

1 Secronyx additionally captures AI reasoning context beyond standard AU-3 requirements.
2 Audit logs provide supporting evidence; a complete Article 30 record requires additional organisational documentation per ICO guidance.
3 These themes align with the intent of the Service Standard; bullet points are not official standard wording.

Complete Auditability & Traceability

Every interaction between the AI and a customer machine is explicit, logged, and reviewable.

For every diagnostic session, the platform records:

  • What the AI asked for

    The exact query, timestamp, machine, and tenant context

  • What the AI received

    Structured output only, with verifiable link to originating machine

  • Why follow-up questions were asked

    The reasoning chain and query dependencies

  • Who or what initiated the session

    User, workflow, or policy trigger with full auth context

Audit Log Properties

Deterministic Same query always produces the same class of output
Immutable Events cannot be modified after creation
Attributable Linked to user, AI, tenant, and endpoint
Replayable Full diagnostic session can be reconstructed
Reviewable Human-readable and machine-verifiable

The AI does not "see everything." It asks explicit questions, receives explicit answers, and leaves an explicit trail.

Risk Mitigation

How Secronyx addresses common security and compliance concerns

Risk Area
Mitigation
Data exfiltration
Query-scoped responses only
AI unpredictability
Deterministic query execution
Insider misuse
Full attribution and audit trail
Supply-chain risk
No embedded AI runtimes on endpoints
Compliance audit
Replayable diagnostic transcripts
Over-collection
Query-based access only
Lack of transparency
Full audit trail
Data leakage
Minimal payloads

Safer Than Local AI Assistants

Many organisations use AI coding assistants running on developer laptops, home machines, or inside production servers. These tools often operate with broad filesystem access, implicit context, and limited auditability.

Risks of Local/In-Production AI Assistants

  • Unprovable data exposure

    Difficult to demonstrate what was accessed or shared

  • Write and execution privileges

    Blurs responsibility for changes

  • Loss and integrity risk

    Local machines may be lost, stolen, or unbackup

  • Expanded attack surface

    Each embedded runtime introduces new dependencies

How Secronyx Avoids These Risks

  • No general-purpose AI runs on customer machines
  • The agent is strictly read-only
  • Queries are finite, versioned, and auditable
  • AI reasoning happens outside the trust boundary
  • Every request and response is logged

DPIA-Ready by Design

The platform processes less data than traditional monitoring tools, with stronger controls and traceability

Purpose of Processing

To diagnose system configuration, health, and operational state on demand, in response to explicit user or policy-initiated requests.

Data Subjects

Employees or system users indirectly associated with managed devices. No personal profiling or behavioural analysis is performed.

Data Minimisation

  • Data collected is strictly limited to the diagnostic question
  • No background collection occurs
  • Retention periods are configurable by tenant

Excluded by Design

No continuous logs, keystrokes, screen capture, bulk process memory dumps, personal content, or user activity streams.

Security Questionnaire Reference

Common questions from security and compliance teams

Does your agent have write or execution access on customer systems?

No. The agent is strictly read-only. It cannot modify files, configurations, registry entries, or system state, and it cannot execute arbitrary commands.

Does the platform continuously collect telemetry?

No. The platform performs no background data collection. All diagnostics are executed on demand in response to explicit requests.

Is AI running on customer endpoints?

No. AI reasoning occurs centrally. Customer endpoints expose a controlled diagnostic interface only.

What audit logging is provided?

The platform records a complete audit trail for every diagnostic interaction, including query requested, data returned, timestamp, initiating user or process, endpoint identity, and AI reasoning context. Audit records are immutable and replayable.

Can customers review or export audit logs?

Yes. Audit logs are available for customer review, export, and integration with SIEM or governance tooling.

Is customer data used to train AI models?

No. Customer diagnostic data is not used for model training.

This platform does not ask for trust. It provides evidence.

Defensible, auditable, and enterprise-grade by design.

Get Started Contact Us