Security you can trust
We take a principled approach to protecting your data and systems across Spice Cloud, open-source, and enterprise deployments. Our team works diligently to ensure everything we build is safe, reliable, and secure.
Security Principles
Our principles form the foundation of Spice AI’s security, guiding every decision and action we make.
Compliance
Certified SOC 2 Type II compliance.
Secure access control
Authentication (AuthN), Authorization (AuthZ), and RBAC (Role-Based Access Control).
Data protection
All secret and sensitive information is encrypted in transit and at rest.
Multi-factor authentication
All authentication systems require and enforce multi-factor authentication (MFA).
Least privilege
Least privilege access is employed so that users, employees, and contractors do not have greater access beyond what is necessary.
Defense-in-depth
Multiple security controls in depth.
Auditable
Access and usage are logged and auditable.
Secure code
Code is scanned and tested for secrets and vulnerabilities.
Code audits
Internal and external experts audit codebases to identify and address vulnerabilities, maintain best practices, and ensure adherence to security standards.
Just-in-time access
Access is given only when it’s required.
Security is a shared responsibility
Protecting the confidentiality, integrity, and availability of Spice systems is the top priority. We use strong access controls, encryption, code scans, secure patching, isolated environments, and external audits. Customers also help maintain security by following authentication and access best practices.
FAQs
Answers to common questions about how we protect data and ensure safe, reliable operations.
Is Spice SOC 2 compliant?
Yes. Spice AI has achieved SOC 2 Type II compliance, independently audited by Prescient Assurance in accordance with AICPA standards. This certification validates our commitment to enterprise-grade security, availability, and process integrity. A copy of the audit report is available to customers on the Spice.ai Enterprise plan upon request.
How is data protected in Spice?
Spice AI encrypts all sensitive data in transit and at rest. Corporate secrets are stored in an enterprise-grade password manager with SSO access, and service secrets are managed using platform-specific secure key vaults. TLS 1.2+ is enforced for all encrypted transmissions. Access is logged, auditable, and restricted using least-privilege and JIT access controls.
How does Spice enforce access control?
Spice uses a combination of SSO, RBAC, strong authentication, and least-privilege policies to protect systems and environments. Access is granted only when required through just-in-time (JIT) workflows and automatically expires after a limited time. All access is logged, monitored, and auditable.
See Spice in action
Get a guided walkthrough of how development teams use Spice to query, accelerate, and integrate AI for mission-critical workloads.
Get a demo
