> ## Documentation Index > Fetch the complete documentation index at: https://docs.antimetal.com/llms.txt > Use this file to discover all available pages before exploring further. # Security and Compliance > How Antimetal handles security, privacy, and access Antimetal operates on your production infrastructure. This page covers how we handle security, privacy, and data access. ## Security All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256. Credentials are stored using AWS KMS. Infrastructure is hosted on AWS and provisioned via Infrastructure-as-Code with least-privilege IAM roles. Access to production systems is controlled, logged, and protected with MFA. * Background checks are conducted for all employees * Employees receive regular security training * Endpoint protection and device management enforced via MDM * Regular penetration testing and third-party audits * Customer data is never entered into external AI tools by employees Antimetal is SOC 2 Type II certified. Our controls and procedures have been independently audited and validated to meet industry standards for security, availability, and confidentiality. Contact [security@antimetal.com](mailto:security@antimetal.com) for a copy of the report. Antimetal is HIPAA compliant. Protected health information is handled in accordance with HIPAA requirements. Contact [security@antimetal.com](mailto:security@antimetal.com) for details. Report security concerns to [security@antimetal.com](mailto:security@antimetal.com). ## Privacy and Data All tenant data runs in isolated environments with strict separation boundaries. There is no cross-contamination between customers. Lightweight metadata such as alert identifiers and investigation status may be temporarily retained for tracking purposes. Antimetal uses third-party AI APIs from Anthropic, OpenAI, and Google. All providers are configured with no-data-retention policies. Customer data is never used to train shared or generalized models. Each customer's data is handled in a segregated environment with multi-tenant isolation controls. AI accelerates root cause analysis and generates remediation recommendations tied to evidence. All AI outputs are linked to underlying data so customers can validate results independently. Audit logs capture all AI-assisted activity. AI augments investigation quality but never operates outside customer visibility. ## Integration Permissions Each integration requests only the minimum permissions needed. See the individual integration pages for details on specific scopes and access levels. Minimal OAuth scopes, no message persistence Repository access, pull requests, CI/CD monitoring Read-only IAM Role via CloudFormation Read-only service account across projects Read-only API and Application keys Read-only service account or access policy token Read-only internal integration token Read-only User API Token Read-only API key ## Best Practices Antimetal surfaces recommendations tied to evidence. Review them before acting. All recommendations include links to the underlying data so you can verify independently. Use the [Antimetal dashboard](https://overlook.antimetal.com) to store integration credentials. Do not share API keys over Slack or email. When possible, scope integration permissions to specific projects, repositories, or environments. Each integration page documents the minimum required permissions.