Security & Trust

Built for the way enterprises handle sensitive research

Your research briefs, persona configurations, and simulation results are yours — never shared, never used to train any model, never visible to another client. Here's exactly how that works.

Core guarantee

Your data never trains any AI model. Ever.

Every simulation Simulatte runs is a stateless API call to Anthropic's inference API. Your brief content, your research questions, your results — none of it is retained by any AI provider for model training. What goes in, stays in your tenant environment. Nothing is reused, repurposed, or shared.

Technical controls

Every layer secured

These aren't aspirational claims — they're in-production controls verified by Simulatte's internal security testing suite.

Server-side RBAC enforcement
Access control is enforced at the API level, not the UI level. Every endpoint validates your session role before touching any data — a UI bypass cannot grant API access.
Per-tenant data isolation
Your workspace is structurally isolated from every other client. There is no API path, no query, and no administrative function that can return another tenant's data to your session.
Full audit trail
Every administrative action is logged with actor identity, timestamp, and before/after state. Credit allocations, user changes, and access events are immutably recorded.
TLS 1.3 + HSTS enforced
All data in transit is encrypted. HTTP Strict Transport Security prevents protocol downgrade attacks. No unencrypted connection to any Simulatte endpoint is possible.
Content Security Policy
Strict CSP headers prevent cross-site scripting and content injection. No third-party scripts, pixels, or analytics run inside your dashboard session.
API key hashing
API keys are stored as SHA-256 hashes. Simulatte never holds your raw key after issuance — a database breach cannot expose usable credentials.
Zero third-party tracking
No analytics scripts, session recording tools, ad pixels, or social trackers run inside the platform. Your usage patterns are not sold or shared with anyone.
OWASP-aligned development
The platform is built and tested against the OWASP Top 10. Injection, authentication, access control, and misconfiguration risks are part of every deployment review cycle.

Compliance posture

Controls in place.
Certifications in progress.

We're transparent about where we are. The technical controls exist — the third-party audit process takes time. We won't claim certifications we don't hold.

Framework
What it means for you
Status
SOC 2 Type II
Independent audit of security, availability, and confidentiality controls. The gold standard for enterprise procurement.
Audit-ready · In progress
OWASP Top 10
Industry standard for web application security. Covers injection, auth, access control, misconfiguration, and 6 other attack classes.
Controls aligned
GDPR
EU data protection regulation. Simulatte collects minimal PII, maintains audit logs, and provides per-tenant data isolation.
Controls aligned
External pen test
Third-party penetration test by a CREST-certified firm. Required by most enterprise security questionnaires.
Scheduled Q3 2026
ISO 27001
International standard for information security management systems.
Roadmap 2027

How your data flows

From brief to result — end to end

01
You upload a brief or paste text
Your brief is transmitted over TLS to Simulatte's API and stored in your isolated tenant environment — no other client or Simulatte team member can query it without your credentials.
02
Morpheus processes it via Anthropic's inference API
The brief content is sent as a stateless API request to extract research objectives. Anthropic processes this under their zero-data-retention enterprise API terms — the content is not stored or used for training by Anthropic or Simulatte.
Anthropic API · Zero retention · No training
03
Personas simulate in your tenant environment
Simulation runs are scoped to your tenant. Persona responses, decision traces, and results are written only to your data partition. Role-based access control determines who on your team can view results.
04
Results stay in your environment
Outputs — reports, CSVs, decision traces — are accessible only through your authenticated session. There is no "Simulatte staff view" of your results. Admin access to the platform is restricted by email domain and server-side role enforcement.

Procurement questionnaire?
We'll fill it.

Most enterprise security reviews are the same 80 questions. We've answered them. Send us your vendor questionnaire and we'll turn it around in 48 hours.

Request security documentation → About Simulatte