Skip to content

    NobleHost AI Security Whitepaper

    Defence‑in‑depth security controls protecting guest data, intellectual property, and operational integrity

    SOC 2 Type II
    PCI DSS Level 1
    GDPR Compliant

    Executive Summary

    NobleHost AI delivers human‑grade conversational experiences while applying defence‑in‑depth security controls that protect guest data, intellectual property, and operational integrity. This whitepaper details our threat model, architectural safeguards, compliance posture, and customer responsibilities.

    Threat Model

    Primary Threats Identified

    Our security architecture addresses these critical threat vectors

    • Eavesdropping on voice traffic
    • Unauthorised API access
    • Prompt injection attacks
    • Data leakage from RAG store
    • Denial‑of‑service against critical micro‑services

    Platform Architecture and Security Controls

    Multi-layered security protecting every component

    Network Segmentation

    Production workloads are isolated in a private subnet with security groups allowing only required ports. Management and data planes are separated to contain lateral movement.

    Authentication and Authorization

    All endpoints enforce OAuth 2.1 with short‑lived access tokens issued by Auth0. Role‑based access control (RBAC) restricts permissions at a per‑micro‑service level.

    Data Flow and Encryption

    Voice packets are streamed over SRTP with AES‑256. API traffic uses TLS 1.3 with perfect forward secrecy. Internal gRPC calls are wrapped in mTLS certificates rotated every 24 hours via cert‑manager.

    Data Protection

    At Rest

    • PostgreSQL and vector stores reside on encrypted volumes (AES‑256‑GCM)
    • Backups are client‑side encrypted before transfer to object storage

    In Transit

    • All data leaves the VPC only over HTTPS
    • Automatic HSTS headers are enforced by the ingress controller

    Personal Data Handling

    • Personally identifiable information is tokenised and stored using Vault Transit secrets engine
    • The mapping table is isolated from application databases

    Data Retention

    • Call recordings and chat transcripts have a default retention of 30 days unless contractual extensions apply
    • Obsolete data is deleted with cryptographic erasure verified in audit logs

    Compliance Alignment

    GDPR

    Data subject rights portal with automated deletion workflows

    Certified

    CCPA

    Do‑not‑sell flag honoured across all downstream systems

    Certified

    SOC 2 Type II

    Independent audits performed annually covering security, availability, and confidentiality

    Certified

    PCI DSS SAQ A

    Cardholder data is processed solely by tokenised payment provider; NobleHost never stores PAN

    Certified

    Security Metrics & SLAs

    ≤ 5 minutes
    RPO (Recovery Point Objective)
    ≤ 30 minutes
    RTO (Recovery Time Objective)
    14 days
    High-severity findings remediation
    30 days
    Medium-severity findings remediation
    365 days
    Audit log retention

    Additional Security Information

    Future Enhancements

    Security Roadmap

    Planned security improvements and research initiatives

    • Hardware security module (HSM) integration for signing keys
    • Homomorphic encryption research for sensitive AI inference
    • Differential privacy controls for analytics exports

    Glossary

    ASR
    Automatic Speech Recognition
    MCP
    Model Context Protocol
    RBAC
    Role‑Based Access Control
    RPO
    Recovery Point Objective
    RTO
    Recovery Time Objective

    Security Questions?

    Our security team is available to discuss your specific requirements and provide additional documentation.

    (888) 970-6119hello@noblehost.ai

    We use cookies

    We use cookies to analyze site usage, enhance user experience, and for marketing purposes. By continuing to use our site, you consent to our use of cookies.