Security, Privacy & Governance at DoCoreAI
DoCoreAI is designed for production GenAI systems operating under security, risk, and governance constraints. We observe system behavior, not model content.
Designed for privacy by default: we never store prompt or output content—only telemetry (token counts, timings, success signals) needed to compute cost, efficiency, and ROI.
Our Trust Philosophy
DoCoreAI follows a minimal, privacy-first design. We collect only what is required to understand how GenAI systems behave in production, without accessing or storing prompts, responses, or customer data.
This approach allows teams to operate, monitor, and govern GenAI systems without introducing new privacy or security risks.
What Data We Collect (and What We Don’t)
We collect
- Token counts (prompt and completion)
- Request latency, retries, and error signals
- Model and version identifiers
- High-level usage and cost metrics
We do not collect
- Prompt text or prompt bodies
- Model responses or generated content
- User inputs or application payloads
- LLM provider API keys or secrets
- Personally identifiable information (PII) by default
DoCoreAI is intentionally content-blind.
Data Flow Overview
Application content flows directly between your system and the LLM provider. DoCoreAI receives telemetry through a separate, telemetry-only channel.
DoCoreAI does not proxy or store LLM requests or responses. Prompt and response content is processed transiently only to compute telemetry metrics and is never persisted or transmitted.
For a deeper architectural explanation, see how this design addresses the GenAI production blind spot .
Security Controls
Encryption
- Encrypted communication using HTTPS
- Stores only non-sensitive operational telemetry such as numeric metrics, timestamps, and model identifiers. No customer content or secrets are stored
Access Controls
- Token-based authentication for clients
- Access to production systems and databases is restricted. Internal access is granted only when explicitly required and for a limited duration. All regular users, including internal teams, access data only through authenticated dashboards.
- DoCoreAI dashboards are read-only. There are no administrative actions that modify, delete, or alter customer data through the application interface.
Tenant Isolation
- Each customer’s telemetry is logically isolated and accessed only through their assigned token and authenticated account.
- Customers cannot access or view telemetry belonging to other customers.
Risk & Reliability Design
Non-Blocking Architecture
DoCoreAI does not sit in the execution path of LLM requests. If DoCoreAI is unavailable, customer applications continue to function normally.
Failure Isolation
Telemetry collection is designed to fail safely without impacting model execution or application availability.
Retention & Control
- Telemetry retention is configurable per tenant
- Telemetry can be disabled for sensitive projects or environments
- Data deletion requests are supported
Compliance & Audit Readiness
DoCoreAI is designed to align with common enterprise security and privacy expectations.
- Alignment with SOC 2 and ISO 27001 control principles (roadmap)
- GDPR-aligned data minimization and purpose limitation
- DoCoreAI acts as a data processor; customers remain data controllers
- Sub-processors are limited to essential infrastructure providers
AI Governance Enablement
DoCoreAI supports post-deployment oversight of GenAI systems without capturing prompts or outputs.
- Cost and usage trend monitoring
- Latency and reliability signals
- Retry patterns and behavioral anomalies
- Model and version change visibility over time
This enables governance teams to maintain oversight without introducing content-level surveillance.
Vulnerability Disclosure
If you discover a security vulnerability, please report it responsibly.
Email: saji.john@docoreai.com
We acknowledge reports and work toward timely remediation.
Security & Privacy Contact
Security inquiries: info@docoreai.com
Privacy information: Privacy Policy