Compliance & Security

Deployment models: VPC / Private Cloud On-prem / Air-gapped Sovereign Cloud Bring-your-own-model

We follow a shared responsibility model. Sphari secures the platform components we operate; customers secure their environment, identity, endpoints, and data classification policies.

• Network isolation, least-privilege access, key management, and audit logging.
• Encryption in transit (TLS). At-rest encryption when we host; customer-managed keys for VPC/on-prem.
• Secure development lifecycle, dependency vetting, vulnerability management.
• Incident response runbooks and customer notification procedures.
• Optional data residency constraints by contract (US/EU/UK/other).

We do not accept PHI or other regulated data unless we have a signed Business Associate Agreement (BAA) or Data Processing Addendum (DPA) authorizing such processing and defining responsibilities. Without those terms, you must not upload regulated datasets.

• Implement SSO/MFA, role-based access, and least privilege.
• Classify data; avoid uploading regulated or sensitive data without a signed addendum.
• Review AI outputs with human oversight; operate within legal/regulatory frameworks.
• Configure logging/monitoring and retain evidence per your policy.

Report security issues to MV@sphari.info with a detailed description and steps to reproduce. Do not publicly disclose until we confirm a fix or mitigation.

Sphari LLC
P.O. Box (Mail only)
Royal Palm Beach, FL 33411
Email: MV@sphari.info