Trust & Security
Discretion is not
a feature.
It's the premise.
The firms that trust AEGIS handle sensitive work — for clients who trust them. That chain of responsibility shapes every decision we make about how the platform operates, who can access what, and what happens to client information when work is done.
ALL SYSTEMS OPERATIONALINVITE-ONLY PLATFORM
Frameworks & Standards
What we produce — and what we hold ourselves to.
AEGIS delivers documentation for the frameworks your clients need. The platform itself is built to operate inside those same standards. The list below reflects current availability. If you don't see what you need, ask — additional coverage may be available depending on your engagement type and jurisdiction.†
SOC 2 TYPE I & II
Security, availability, and confidentiality controls for service organizations. The framework AEGIS delivers for clients and governs its own operational controls against.
ISO 27001
International information security management standard. Systematic risk treatment, access control, and operational requirements — applied to client engagements and the platform itself.
HIPAA
Healthcare privacy and security. Medical and clinical engagements are handled under infrastructure designed to meet HIPAA requirements, including Business Associate Agreement coverage where applicable.
GDPR
Data protection and privacy rights for individuals in the EU. Client data handling is built around GDPR obligations including purpose limitation, data minimization, and the right of erasure.
CMMC 2.0 & NIST
Cybersecurity maturity and federal risk frameworks for defense contractors and government-adjacent organizations. Engagements in this space are scoped and isolated accordingly.
And others
PCI DSS, FedRAMP, DORA, and sector-specific frameworks may be available. Your requirements drive the scope — not a fixed menu. Tell us what you're working with.
How we operate
What actually happens with client information.
Not policy language — practices. Here is what happens every time work moves through the platform.
Client information is protected before processing begins
Identifying details are separated from the substance of the work before analysis starts. The deliverable is produced from what matters — not from names, addresses, or identifiers that have no bearing on output quality.
Each client's work stays in its own lane
One firm's client engagements never influence another firm's results. Every engagement is contained. The intelligence your engagements produce belongs to your practice — it does not flow into a shared pool that benefits your competitors.
Every decision made during production is on record
A complete, ordered log of every judgment made during document production is captured and preserved. If a question ever arises about why a document says what it says, the answer exists — and cannot be altered after the fact.
We do not sell data. We do not run ads.
AEGIS earns revenue from the work it produces — not from what it observes while producing it. Client information is used to complete the engagement. That is the only use.
Your brand, your relationship, your client
Firms that operate AEGIS under their own name own that relationship completely. Deliverables carry your brand. We are the infrastructure behind the work — what you build on top of it is yours.
Regulated industries
Built for work where the stakes are real.
Every sector below operates in an environment where a documentation error or a breach of discretion carries professional, legal, or financial consequences. AEGIS is designed for that reality.
Compliance & GRC
Audit-ready deliverables across SOC 2, ISO 27001, HIPAA, CMMC, NIST, GDPR, and more — produced with practitioner-level rigor and a complete audit trail behind every position taken.
Legal
Matter-sensitive work handled with the discretion the profession demands. Attorney-client privilege considerations are part of the design — not an afterthought added on request.
Healthcare
Medical compliance and accreditation work handled under infrastructure built to meet HIPAA requirements — including engagements where patient-adjacent information is in scope.
Financial Services
Regulatory documentation and risk frameworks for institutions where accuracy, traceability, and confidentiality are baseline requirements — not premium add-ons.
Infrastructure
What runs the platform — and what each part sees.
We disclose the categories of infrastructure involved in processing an engagement and the role each plays. Specific providers and alternative configurations are available on request. If your jurisdiction, clearance level, or data residency requirements call for something different from the defaults below — ask.‡
Engagement processing
Runs the work from intake to delivery — US-based by default
Intelligent analysis
Powers document drafting and review — receives protected, de-identified inputs only
Authentication & records
User access and engagement records — encrypted at rest, isolated per firm
Client interface
Portal and intake delivery — static pages only, no client data handled at this layer
Agreements
What the contract covers.
The AEGIS services agreement makes explicit commitments in the areas below. Complete documentation is provided at onboarding and available on request. If your situation has requirements not listed here, raise them — the agreement is built to be adapted, not to be a barrier to getting the right protections in place.
Ownership of deliverables and underlying client data
Third-party processing disclosure and subprocessor list
Data handling, retention, and deletion terms
Delivery timelines and quality commitments by tier
Incident response and notification obligations
Governing law and dispute resolution
Addenda for government, international, healthcare, and financial engagements
IP ownership — deliverables are yours; platform methodology remains ours
Have requirements that aren't covered here?
Enterprise and regulated-industry onboarding always includes a direct conversation before any work starts. If something you need isn't on this page, ask — there's a good chance we've already thought about it.
Request an invite →