100msai

Security, Safety, and Privacy at Our Core

Security, privacy, and compliance aren’t features, they are foundational to 100ms. 100ms AI agents and platform are architected with multi-layered controls to meet the most rigorous standards in US healthcare.

HIPAA Compliant
We protect patient data in strict adherence with HIPAA and sign BAAs with our customers.
SOC2 Type II Certified
100ms is SOC 2 Type II attested for Security, Confidentiality, and Availability, per AICPA’s Trust Services Criteria.
US Data Residency
All customer data, PHI and PII data is stored in the USA.
AI AGENT ]

AI Agent Security and Safety by Design

100ms AI agents are protected by a Defense-in-Depth approach with multi-layered safeguards that proactively prevent attacks, isolate risks, and ensure safe, on-policy behavior.

1LAYER
Model-Level Safeguards & Content Control

Prompt injection, leakage, and jailbreaking are mitigated through secure prompt design, isolation from user input, and instructional redundancy. Bias mitigation, refusal scaffolds, and profanity filters ensure agents don’t provide unauthorized medical, legal or financial advice, stray from scope, or generate offensive responses.

2LAYER
Runtime Monitoring & Anomaly Detection

Calls are monitored in real-time for anomalies like forbidden topics, hallucinated actions, excessive response lengths, and signs of bias. Severity-based controls allow us to flag, intervene, or terminate sessions as needed, to prevent operational drift, unsafe behavior, or escalation of risky patterns.

3LAYER
Infrastructure Isolation & Controlled Data Flow

Agents run in sandboxed containers isolated from core databases. They receive only the minimum data needed to perform the workflow for a single patient. This minimizes exposure, enforces task limits, and prevents data leakage—aligned with the principle of least privilege and zero trust access.

4LAYER
Human-in-the-Loop QA & Escalation

Flagged calls and random samples are regularly reviewed by authorized QA teams. In cases where out-of-scope queries arise or customers opt in, agents escalate to human staff. This provides a final checkpoint to ensure accuracy, maintain trust, and handle sensitive conversations appropriately.

5LAYER
Iterative Refinement & Feedback

Insights from red teaming, real-world usage, and stakeholder feedback—including clinicians, patients, and ops teams—are continuously fed back to improve prompts, detection rules, and infrastructure. This helps patch vulnerabilities and adapt quickly to emerging threats.

PLATFORM SECURITY ]

Enterprise-Grade Infrastructure and Operational Security

We secure the entire platform—from cloud hosting to APIs—with enterprise-grade controls that scale with your organization’s needs.

Encrypted Data
TLS 1.2+ for data in motion and AES-256 for data at rest ensure data protection end to end.
Zero Trust Architecture
All access is authenticated and authorized via IAM, SSO, and RBAC with least-privilege enforcement.
Secure APIs
JWT-protected APIs are secured with schema validation, throttling, and VPN access.
Access and Audit Logs
All sessions, actions, and access requests are logged and auditable.
Compliance-Driven Hosting
Infrastructure is hosted in compliance-certified cloud environments.
Penetration Testing
Regular third-party testing validates the resilience of our defenses.
Vulnerability Scanning
All systems are scanned regularly for known CVEs and threats.
MONITOR & MITIGATE ]

Continuous Monitoring and Risk Mitigation

Security is an ongoing process. We rigorously test, break, monitor, and evolve our platform and agents to stay ahead of emerging threats.

Red Teaming & Adversarial Testing

Simulated attacks test jailbreaks, injections, and behavioral boundaries of the agents.

Evaluation Frameworks

Agents undergo regular evaluations against a robust test suite to prevent regressions and verify adherence to content restrictions.

Bug Bounty Program

We have our Bug Bounty Program hosted on Hackerone. Security researchers are incentivized to report vulnerabilities.

Automated Alerts

Security logs and anomalies in platform and agent behavior are monitored continuously to detect threats in real time.

FAQs ]

Frequently Asked Questions

We’re committed to transparency and welcome all questions from compliance, legal, and security teams.

All patient and customer data is stored securely in the USA.

We offer SLAs on our uptime, incident response time, and security reports and issues.

Patient data remains within a secure environment throughout implementation and operation. Our AI Agents access only the information necessary to perform specific functions.

We have implemented enterprise-grade security protocols to safeguard Protected Health Information (PHI). Our infrastructure features end-to-end encryption, role-based access controls, and secure data handling processes designed specifically for healthcare environments.

If you believe you've discovered a security-related issue, please reach out to us on security@100ms.ai

Want to learn more about our security practices?

We’re happy to share our red teaming results, AI safety performance reports, and VAPT summaries under NDA. We also support enterprise security reviews and can complete due diligence questionnaires upon request.