Features

Your Security Team Will Actually Approve This

Most AI platforms fail compliance review. Zentrr is built to pass it — AWS Bedrock only, full audit trails, encryption everywhere, and tenant isolation at the database level.

Request DemoSecurity Overview
AWS Bedrock

Why we only use AWS Bedrock

Your compliance team needs to know exactly where data goes. AWS Bedrock exclusively means all inference stays in your cloud environment with full audit trails. Zero third-party AI providers.

  • Data never leaves your selected AWS region
  • Leading AI models (Claude, Nova, Llama, DeepSeek)
  • Pass security reviews in weeks, not months
1

All AI through Bedrock

All AI inference through AWS Bedrock in your selected region. No data leaves AWS.

2

Automatic logging

Every request logged with full context via CloudTrail. KMS at rest, TLS 1.3 in transit.

3

Audit and verify

Run automated compliance tests — HIPAA, SOC 2, GDPR, NIST, ISO 27001 — and generate reports on demand.

Compliance Features

Pass the audit, not just prepare for it

Audit logging, encryption, access control, guardrails, and tenant isolation — built in, not bolted on.

AWS Bedrock Only

All AI inference runs through AWS Bedrock in your region. No third-party AI providers. One data flow to verify.

Complete Audit Logging

Every conversation, API call, and system action logged with timestamps, user IDs, and full context. CloudTrail plus application-level audit logs.

Multi-Tenant RBAC

Four roles with database-level tenant isolation. Every query scoped to the user's organization.

Data Access Controls

Access scoped to organizations and teams. Control who can view, edit, or delete agents and knowledge bases.

Encryption Everywhere

AES-256 at rest via KMS, TLS 1.3 in transit. Aurora, S3, OpenSearch — all encrypted by default.

Data Retention Controls

Per-type retention policies with automatic deletion on expiry. Legal hold for compliance investigations.

AI Guardrails

PII detection and anonymization, content filtering, and blocked words/topics. Applied per-agent with versioning and four configuration modes.

AI Guardrails

Control what your agents can say and see

Bedrock Guardrails built into every layer — from PII detection to content filtering to blocked topics. Configure once at the org level, override per-agent when you need to.

PII Detection & Anonymization

Automatically detect sensitive data — names, emails, SSNs, phone numbers — and block or anonymize it before it reaches the model or leaves in a response.

Content Filtering

Configurable filters for hate speech, insults, sexual content, violence, and misconduct. Set severity thresholds from NONE to HIGH per category.

Blocked Words & Topics

Define denied topics with definitions and examples. Add blocked word lists — including managed lists — to prevent agents from discussing off-limits subjects.

4 Configuration Modes

Platform default, org default, custom, or disabled. Org admins set the baseline; team managers override per-agent when needed.

Guardrail Versioning

Every guardrail change creates a new version. Roll back instantly. Agent deployments pin to a specific version for reproducibility.

Per-Agent Assignment

Each agent gets its own guardrail configuration. Sensitive agents get strict PII blocking; internal tools get lighter filters. One size does not fit all.

Layered guardrail inheritance

Set a platform default that applies everywhere. Override at the org level for industry-specific rules. Override again per-agent for fine-grained control — or disable guardrails entirely for internal tools.

1
Platform Default

Sensible baseline for all agents across all orgs

2
Org Default

Organization-specific rules (e.g., HIPAA-compliant filters)

3
Custom

Per-agent overrides for specialized use cases

4
Disabled

No guardrails — for internal or testing agents only

Compliance Dashboard

One dashboard for your security posture

Login history, tenant isolation, access controls, and security monitoring in one place.

Login History

Every login attempt tracked — successful and failed — with IP and device info.

Tenant Isolation

Row-level security with per-request context. Cross-tenant queries are impossible by design.

Security Alerts

Alerts on suspicious activity, failed logins, and potential security incidents.

Compliance Reports

Generate infrastructure audit reports on demand. Security controls and compliance posture in one view.

Compliance Reports

Compliance posture at a glance

Automated infrastructure audits across HIPAA, SOC 2, GDPR, NIST 800-53, and ISO 27001. Run them yourself, anytime.

Infrastructure Audit Tests

Last updated: Jan 28, 2026

SOC 2
Passing
98%
controls passing
Last run: Jan 2026
HIPAA
Passing
95%
controls passing
Last run: Jan 2026
NIST 800-53
Needs Attention
87%
controls passing
Last run: Dec 2025

Controls Passing Trend

12-month overview

96.2%+4.8%
FebMarAprMayJunJulAugSepOctNovDecJan

Evidence Collection

85 of 102 items collected

Access Controls95%
Encryption100%
Audit Logs88%
Incident Response72%
Overall Progress83%

Scheduled Test Runs

SOC 2 Test Run
Mar 15
HIPAA Test Run
Apr 2

Infrastructure Controls

Every layer locked down

AWS compliance-eligible infrastructure with automated audit tests you can run yourself.

Included

VPC Isolation

Private subnets only. No public internet exposure.

Included

KMS Encryption

Customer-managed KMS keys across all data stores.

Included

CloudTrail Audit Logging

Full API audit trail. Tamper-proof logging to S3.

Included

Row-Level Security

PostgreSQL RLS enforces tenant boundaries per query.

Included

Infrastructure Audit Tests

Automated test suites for HIPAA, SOC 2, GDPR, NIST, and ISO 27001.

Eligible

AWS Compliance Eligibility

Built entirely on HIPAA-eligible, SOC 2 auditable AWS services.

Ready to see it in action?

See how Zentrr passes compliance review for regulated industries. Schedule a demo with our team.

Request DemoExplore Evaluations