Skip to main content

Trust Center

Security, compliance, and how A1SI operates

A1SI builds software for regulated and industrial work, so we hold ourselves to a plain standard of honesty about it: we tell you what our products are built to align with, and we tell you what they are not certified to do. This page consolidates the security and compliance signals that otherwise live inside individual product pages, describes how we handle data, and explains how an AI-operated company stays accountable.

Last reviewed: June 2026

“Aligned with” is not “certified”

These two words mean very different things, and most vendors blur them. We do not.

  • Built to align with a standard means our software produces the artifacts and follows the principles that standard calls for — the audit trails, the e-signatures, the data-integrity discipline.
  • Certified means an independent body has formally assessed and attested a specific system or workflow. Unless this page says a certification is held, it is not, and the customer’s own validation and certification remain their responsibility.

Compliance & standards

Each entry below states plainly whether A1SI is built to align with the standard or does not hold it. We never claim a certification we do not have.

21 CFR Part 11 (electronic records & e-signatures)

Built to align — not a certified system

EMDT and A1SI-TERM produce the artifacts a Part 11 workflow depends on: append-only, field-level audit trails and e-signatures bound to the records they approve. EMDT runs the full compliance suite — MDR, CAPA, complaint, and recall workflows with PIN-protected e-signatures on every state transition; A1SI-TERM records regulated sessions into hash-chained, tamper-evident transcripts with a § 11.200 e-signature ceremony. These capabilities are designed to support Part 11 workflows. A1SI-TERM and EMDT are not themselves FDA-cleared or validated systems, and certification of any specific regulated workflow — including legal, compliance, and validation review — remains the customer’s responsibility.

ALCOA+ (data-integrity principles)

Built to align

EMDT’s audit trail is designed around ALCOA+ attributability — every change is Attributable, Legible, Contemporaneous, Original, and Accurate, with field-level old-value/new-value tracking, the acting user, a change reason, and configurable per-organization retention. ALCOA+ is a set of principles, not a certificate; we follow the principles in the audit-trail design.

NIST Handbook 44 (weights & measures)

Not certified — capability, not certification

CVWS reads commercial-vehicle weights from Laumas CLM8 load cells and keeps an append-only membership audit log with an 8-channel millivolt snapshot, so a weighing event is reconstructable after the fact. That is a capability, not a certification. CVWS weight readings are not certified for legal-for-trade or other regulatory use, and CVWS is not a NIST Handbook 44 legal-for-trade certified device. Where legal-for-trade weighing is required, a certified scale system is needed in addition to CVWS.

SOC 2 / ISO 27001

Not held today

A1SI does not hold a SOC 2 attestation or ISO 27001 certification at this time, and we will not imply otherwise. We mention them here only to be explicit about what we do and do not have. The security practices below describe the controls that are actually in place today.

Security practices

The controls below are in place in shipping products today. We list only what we can point to in the software itself — no aspirational security theater.

Single sign-on and role-based access control

A1SI’s multi-tenant products authenticate through Keycloak enterprise single sign-on (email, Google, Apple, and Microsoft). Access is governed by role-based access control (RBAC): EMDT layers granular permissions over an authority level, so an administrator can never be edited by anyone they outrank, while CVWS enforces per-organization permissions deciding who can weigh, view history, and administer.

Immutable, append-only audit logging

Regulated activity is written to append-only audit logs that record what changed, who changed it, when, and why. EMDT’s org-wide audit trail is immutable and CSV-exportable with field-level change tracking and HMAC-SHA256 e-signatures bound to individual records; A1SI-TERM records regulated terminal sessions into hash-chained, Ed25519-signed transcripts that replay deterministically. The specific cryptographic primitive is the one each product ships — we do not generalize it across products it isn’t used in.

Multi-tenant isolation enforced by the platform

In EMDT and CVWS, every record — device, location, compliance document, audit entry — is scoped to your organization and enforced by the platform itself, not merely hidden in the interface. One customer’s data is never visible to another, and per-organization permissions further narrow access within a tenant.

Credentials stored in native keychains

A1SI-TERM keeps connection credentials in the operating system’s native keychain (Windows Credential Manager, macOS Keychain, Linux Secret Service), layered over an Argon2id-wrapped AES-256-GCM file vault, with secrets wiped from memory after use — never in plain-text config files. Structured logs apply automatic secret redaction before anything is written to disk.

United States-hosted data

A1SI’s websites and the data they collect are hosted in the United States. If you visit from outside the U.S., information you provide is transferred to and processed in the United States, where our servers are operated. See the Privacy Policy for the full data-handling description.

Data handling & sub-processors

Our public website is deliberately light on data collection. We do not run advertising, we do not sell or share personal information for cross-context behavioral advertising, and analytics stay off until you accept them through our cookie banner. The complete description of what we collect and why lives in the Privacy Policy.

The only third parties that touch website data are:

  • Google Analytics— consent-gated website analytics. No analytics cookies are set until you opt in, and we honor Global Privacy Control (GPC) signals.
  • Mailgun— delivers the email from our contact and early-access forms. It processes only what you submit on those forms.
  • Railway— the United States-based hosting platform that serves this website.

Website data is hosted in the United States. Product platforms (EMDT, CVWS, and others) keep customer records in their own secure, multi-tenant cloud databases, isolated per organization as described above.

How A1SI works: AI under human direction

A1 Systems Integrators is operated end to end by autonomous AI agents, disclosed openly — one of the first companies run this way. We treat that as a reason for more transparency, not less. The engineering pedigree behind the company reaches back to 1997; the operating model today is AI agents working under the direction of human leadership.

Human directors hold final accountability. Regulated and compliance-sensitive outputs are reviewed under human oversight, and we do not make solely-automated decisions that produce legal or similarly significant effects about individuals. The compliance primitives in our regulated products — A1SI-TERM’s policy engine, e-signature ceremony, and panic-exit; EMDT’s PIN-protected e-signatures and immutable audit trail — are deliberately human-in-the-loop, not autonomous.

You can see exactly who does what: meet the executive team and the AI teams that run the company, each honestly documented as an AI agent. For the full account of the approval gates, escalation path, and support commitment behind this model, read How A1SI Works.

Reporting a security issue

If you believe you have found a security vulnerability in an A1SI product or website, we want to hear from you. Please email security@a1si.com with enough detail to reproduce the issue. We ask that you give us a reasonable opportunity to investigate and remediate before any public disclosure, and that your testing does not degrade service or access data that is not yours.

A machine-readable contact is published at /.well-known/security.txt per RFC 9116.

Have a security or compliance question?

Procurement, security review, or a regulated-workflow question — ask us directly and a human director will make sure it is answered honestly.

Contact us