Security Statement

Western Rainforest provides enterprise-grade AI classification infrastructure designed for operational intelligence. Security and data sovereignty are not afterthoughts; they are the architectural foundation of our products.

1. Zero-Retention Data Flow

Our models are built to eliminate data liability. We utilize a Stateless Inference Pipeline:

• Ingestion: Data is sent to our endpoints via TLS 1.3 encrypted connections.
• In-Memory Processing: The payload is processed strictly in RAM within an isolated container.
• Destruction: Immediately upon generating the output (confidence scores and intent tags), the memory state is cleared. No payloads are written to disk, databases, or logs.

2. Infrastructure Security

We deploy our models using Google Cloud Run utilizing a single-tenant architecture.

• Single-Tenant Isolation: Enterprise clients are provisioned their own dedicated Cloud Run service instances. Your compute environment is entirely isolated from other clients, preventing cross-tenant data leakage or noisy-neighbor performance issues.
• Ephemeral Compute: Google Cloud Run instances scale dynamically and are ephemeral. Containers are destroyed and spun up as needed, ensuring a clean, immutable runtime environment.
• Physical Security: Our infrastructure relies on Google Cloud's world-class physical data center security, compliance certifications (SOC 2, ISO 27001), and threat detection capabilities.

3. Access Control & API Security

• Authentication: API access is strictly controlled via cryptographic X-API-Key headers.
• CORS & Origin Whitelisting: Our endpoints enforce strict Cross-Origin Resource Sharing (CORS) policies. API requests are validated against pre-approved Origin headers (e.g., https://form.longiflo.com) to prevent unauthorized cross-site execution.
• Rate Limiting: Automated rate-limiting and DDoS protection (via Google Cloud Armor) are active across all endpoints to ensure sustained availability.

4. Regional Deployment & Sovereignty

• India (Asia-South): To comply with Indian data sovereignty requirements, local instances (e.g., asia-south1, asia-southeast1) are utilized to ensure that data routing and in-memory processing remain within designated geographic boundaries.
• United States (US-Central/East/West): US client traffic is routed strictly through US-based Google Cloud regions to comply with federal and state data residency requirements.

5. Model Security (Zero Hallucination)

Unlike generalized generative LLMs that are prone to prompt injection and hallucination, our intent classification engines (like Rucervus and Euptilura) are deterministic classifiers. They do not generate net-new text and are structurally immune to prompt-injection attacks designed to extract training data or alter system behavior.

6. Incident Response

Because we do not store payload data, the scope of any potential breach is vastly reduced to operational metadata. In the event of a security anomaly affecting infrastructure or API keys, affected clients will be notified within 24 hours per our internal incident response protocols.