Security

Our approach

Life sciences data (genomics, transcriptomics, proteomics, clinical records) is heavily regulated, and rightly so. Here is how we think about security:

1. Minimize data exposure. We only access the data we need, for as long as we need it. When you bring your own storage, we hold your data only during active processing and retain only metadata and pointers afterward.
2. Give customers control. From bring-your-own-cloud deployments to privacy mode, we provide the controls that regulated organizations require.
3. Be transparent. This page describes how we handle data today, including areas where we are still improving.

Compliance and assessments

Platform-wide (all plans)

These are organizational certifications and regulations. Once achieved, every customer benefits regardless of plan.

• SOC 2 Type II We have engaged an independent auditor and are implementing the controls required for the Trust Services Criteria (security, availability, confidentiality).
• ISO 27001:2022 We are building an information security management system (ISMS) aligned with ISO 27001:2022 requirements.
• GDPR We are aligning our data processing practices with the EU General Data Protection Regulation, including data subject rights, lawful basis for processing, and cross-border data transfer mechanisms.

Enterprise (per-customer)

These require per-customer legal agreements or validation work and are available on Enterprise plans.

• HIPAA BAA We are implementing the administrative, physical, and technical safeguards required for handling protected health information (PHI). Enterprise customers can sign a Business Associate Agreement (BAA), a per-customer legal contract that governs how PHI is handled.
• 21 CFR Part 11 We support electronic records and electronic signatures controls for FDA-regulated environments. Qualification documentation (IQ/OQ/PQ) is performed per customer deployment.

In the interim, we can provide:

• Our security questionnaire responses
• Details on our current controls and policies
• Architecture documentation for your security review

Contact security@inflexa.ai to request any of these materials.

Data architecture

Inflexa is designed so that your data stays under your control whenever possible. How and where your data is stored depends on which deployment mode you use.

What we mean by “your data”

When we refer to data on this page, we distinguish between:

• Scientific data Your experimental data: count matrices, sequence files, sample metadata, clinical annotations, analysis results. This is the sensitive data you care most about.
• Platform metadata Information Inflexa needs to operate: project structure, analysis configurations, user accounts, audit logs, pointers to your files.
• AI contextThe prompts, queries, and data excerpts sent to language models during analysis. This may include fragments of your scientific data.

Deployment modes

Inflexa supports two deployment modes, each with different tradeoffs between convenience and data control.

Bring Your Own Storage (BYOS)

You connect your existing cloud storage (AWS S3, Google Cloud Storage, or Azure Blob Storage) to Inflexa. Your scientific data remains in your storage buckets at rest.

• During processing: Data is temporarily loaded into Inflexa’s compute environment for analysis. It resides in our cloud only for the duration of the active computation.
• After processing: Results are written back to your storage. Inflexa retains only metadata and pointers (file paths, dataset schemas, analysis provenance), not the underlying scientific data.
• If you disconnect: Metadata and pointers remain in Inflexa for your account records. Your scientific data was never stored by us persistently.

This is the default mode for most customers. You keep your data in your own storage infrastructure while using Inflexa’s compute and AI capabilities.

Bring Your Own Cloud (BYOC)

For organizations that require full control over data residency, Inflexa can be deployed entirely within your cloud environment.

• Data never leaves your cloud. Processing, storage, and analysis results all remain within your cloud account and region.
• You control the infrastructure. Compute resources run in your environment under your security policies, VPC rules, and access controls.
• Inflexa manages the application layer. We provide the platform software, updates, and support. You retain control of the underlying infrastructure and data.

BYOC is available on Enterprise plans. Contact us to discuss deployment.

AI and LLM requests

Inflexa uses large language models to power its conversational analysis agents. The models interpret results, suggest analytical approaches, generate code, and explain findings in scientific context.

What is sent to the LLM

When you interact with an Inflexa agent, we construct a prompt that may include:

• Your natural language query or instruction
• Relevant context from your current analysis session (e.g., column names, summary statistics, gene lists, pathway names)
• Analysis results and intermediate outputs
• Metadata about your dataset structure

We minimize the amount of raw data sent in prompts. For example, we send summary statistics and representative samples rather than full datasets wherever possible. However, some analyses require sending data excerpts (such as specific gene expression values or sample annotations) to the model for interpretation.

LLM providers

We currently use Anthropic as our sole LLM provider. All LLM requests go through Anthropic’s API.

• Anthropic’s data usage policy for API customers states that they do not use API inputs or outputs to train their models.
• We have a zero data retention agreement with Anthropic for customers with Privacy Mode enabled.
• All communication with Anthropic’s API is encrypted in transit via TLS.

If we add LLM providers in the future, we will update this page and notify affected customers before routing any data to new providers.

BYOC and LLM requests

In Bring Your Own Cloud deployments, LLM requests still leave your cloud environment to reach Anthropic’s API. This is currently the only data flow that exits your infrastructure.

Privacy mode

Privacy Mode controls whether your data can be retained by our LLM providers or used for any purpose beyond serving your request.

How it works

When Privacy Mode is enabled:

• We enforce zero data retention agreements with all LLM providers. Prompts and responses are not stored by the provider after the request is served.
• Your data is never used for model training by any provider.
• We do not log prompt contents or model responses on our servers for Privacy Mode users.

Who controls Privacy Mode

Privacy Mode is not available on the Personal plan. It is available on Biotech and Enterprise plans, where it is enabled by default.

Biotech and Enterprise plans give administrators the choice to disable Privacy Mode if their organization’s policies allow it and they wish to opt in to potential future features that may require data retention (such as improved model personalization). When an admin disables Privacy Mode, all team members are affected.

We take the Privacy Mode guarantee seriously. When in doubt about a request’s privacy status, our systems default to treating it as Privacy Mode enabled.

Infrastructure security

Cloud infrastructure

Inflexa’s platform infrastructure is hosted on AWS, with all servers in the United States. We use:

• AWS for primary compute, storage, and database services
• Cloudflare for DDoS protection and CDN

Access controls

• Infrastructure access is assigned on a least-privilege basis
• Multi-factor authentication is enforced for all cloud provider accounts
• Access to production systems is restricted to a small set of team members and is logged
• We use network-level controls (VPCs, security groups) to isolate services

Encryption

• In transit: All data is encrypted using TLS 1.2 or higher, both between your browser and our servers and between our servers and third-party services.
• At rest: All data stored in our infrastructure is encrypted at rest using AES-256 via AWS-managed keys. BYOS and BYOC customers manage their own encryption keys for their storage.

Subprocessors

We do not use any Chinese companies as subprocessors, and to our knowledge none of our subprocessors do either.

Application security

Authentication

Inflexa is accessed through a web interface. We support:

• Email and password authentication with enforced password complexity requirements
• Single Sign-On (SSO) via SAML 2.0 for Enterprise customers
• Multi-factor authentication (MFA)

Authorization

• Role-based access control (RBAC) governs what users can see and do within their organization
• Projects and datasets are scoped to organizations. There is no cross-tenant data access.
• Audit logs track user actions within the platform

Secure development

• All code changes go through peer review, dependency scanning, and automated testing before deployment
• Dependencies are monitored for known vulnerabilities

Account and data deletion

You can request deletion of your account and all associated data by contacting support@inflexa.ai. Upon deletion:

• All platform metadata, analysis configurations, and stored results are permanently removed from our systems
• For BYOS users: metadata and pointers are deleted. Your scientific data in your own storage is unaffected. We never stored it.
• For BYOC users: you retain full control of your infrastructure and data. We remove your account and platform configuration from our systems.

Your data is removed from our active systems within 30 days. Backups are rotated on a 30-day cycle, after which deleted data is no longer recoverable.

Vulnerability disclosures

If you believe you have found a security vulnerability in Inflexa, please report it to security@inflexa.ai.

Our response timeline:

• Acknowledgment within 3 business days
• Initial assessment within 10 business days
• Confirmed vulnerabilities are addressed as quickly as possible, prioritized by severity

We appreciate responsible disclosure and will work with you to resolve any issues.