// Security & Trust
Built to be trusted with your name.Built so you can trust it with your name.
When an AI answers the public under your brand, the question isn't "is it clever?" — it's "is it safe, contained, and accountable?" LINAsystems is engineered around that question: a dedicated, isolated install per customer, a thin safety floor your own operators cannot override, role-based access enforced on the server, an append-only audit trail, managed secrets, signed and fail-closed webhooks, encrypted transport behind a firewall, daily backups with documented recovery objectives, and 2,600+ automated tests run before every deployment.
When an AI talks to the public under your name, the real question isn't "is it smart?" — it's "is it safe, kept separate, and accountable?" LINAsystems is built around that question: each customer gets their own separate install, a small set of safety rules your own staff can't turn off, access rules checked on the server every time, a permanent record of every action, securely stored secrets, verified and rejection-by-default webhooks, encrypted traffic behind a firewall, daily backups with clear recovery targets, and 2,600+ automated tests run before anything ships.
// Trust posture
Isolation is the feature, not a setting.Keeping your data separate is the whole point, not an upgrade.
Every customer runs on a dedicated, isolated install — your own deployment, storage, secrets, and keys, with no shared-tenant data co-mingling. We treat that isolation as a feature rather than a tier; shared multi-tenancy is future work, not a corner we've cut. On top of that isolation sits a fixed safety floor enforced in code, server-side access control, and a continuously tested operations layer. The result is a platform that runs your public chat, your 24/7 phone agent, and your knowledge base while keeping the things that matter — your data, your credentials, your brand — under your control and ours alone.
Every customer gets their own separate install — your own deployment, your own storage, secrets, and keys, with no mixing of your data with anyone else's. We treat that separation as a core feature, not something you pay extra for; sharing infrastructure between customers is a possible future option, not something we skipped to save money. On top of that separation sits a fixed set of safety rules built into the code, access checks enforced on the server, and an operations layer that's constantly tested. The result is a platform that runs your public chat, your around-the-clock phone agent, and your knowledge base while keeping what matters most — your data, your credentials, your brand — under your control and ours alone.
// 01 — Your data, isolated
One dedicated install per customer.Each customer gets their own separate install.
There is no shared database where your supporters or customers sit next to someone else's. Each customer is provisioned as a separate, isolated deployment.
There's no shared database where your supporters or customers sit next to someone else's. Each customer gets their own separate setup, kept apart from everyone else's.
- A dedicated, isolated install per customer — your own deployment, storage, secrets, and keys.
- A dedicated, separate install for each customer — your own deployment, storage, secrets, and keys.
- No shared-tenant data co-mingling; your records are never blended with another organization's.
- No mixing of data between customers; your records are never blended with another organization's.
- Isolation is treated as the feature — shared multi-tenancy is explicitly future work, not the default.
- Keeping installs separate is treated as the main feature — sharing infrastructure between customers is a possible future option, not how things work today.
- You control all content from the Command Center — facts, prompts, website, and knowledge — and corrections go live in one turn across chat and phone.
- You control all the content from your Command Center dashboard — facts, prompts, the website, and the knowledge base — and any fix you make shows up immediately in both chat and phone.
// 02 — The immutable safety floor
A thin set of rules nobody can edit away.A small set of rules nobody can turn off.
Above the safety floor, you control everything. The floor itself is enforced in code — not just suggested in a prompt — and is guarded by drift tests so it cannot be quietly weakened by configuration, a clever question, or operator content.
Above the safety floor (the fixed bottom layer of rules), you control everything. The floor itself is built into the code — not just a suggestion in a prompt — and automated checks guard it so it can't quietly get weaker through a setting, a clever question, or content your team adds.
These five rules are a thin, immutable floor: operator content cannot override them, and drift tests catch any regression before it ships.
These five rules are a small, fixed floor: nothing your team adds can override them, and automated checks catch any slip before it ever ships.
// 03 — Access control & accountability
Roles enforced on the server. Actions written down.User roles checked on the server. Every action logged.
Permissions aren't hidden in the UI and hoped-for — they're enforced on every endpoint, and entitlements you haven't bought simply aren't reachable.
Permissions aren't just hidden in the menus and hoped for — they're checked on every single request, and features you haven't paid for simply aren't reachable, even if someone tries to call them directly.
- Three server-enforced roles — admin, editor, viewer — gate every privileged action. Viewers are read-only; editors get everything except account and credential surfaces; admins get full control.
- Three roles, checked on the server every time — admin, editor, viewer — gate every privileged action. Viewers can only look, not change anything; editors can do everything except manage accounts and credentials; admins have full control.
- Role-based access control is enforced server-side on every endpoint, not just concealed in the interface.
- RBAC (role-based access: admin / editor / viewer) is checked on the server for every request, not just hidden behind menus in the interface.
- Module entitlements return HTTP 403 for plans you haven't purchased — capability is checked at the server, not assumed by the client.
- If you haven't purchased a module, the server blocks the request outright (an HTTP 403 error) — access is checked on the server, not just assumed by what the screen shows you.
- An append-only audit trail records every privileged admin action, and login events fire subscribable alerts.
- A permanent, can't-be-edited log records every important admin action, and login events can trigger alerts you sign up for.
- Sensitive PII access is gated and audit-logged; donor and contact exports are gated and recorded the same way.
- Access to sensitive personal information is restricted and logged; exporting donor or contact lists is restricted and recorded the same way.
// 04 — Secrets & data handling
Your keys stay yours and stay hidden.Your keys stay yours, and stay out of sight.
You bring your own LLM API keys, and the platform is built so those credentials are never exposed back through the product surface.
You supply your own AI provider keys, and the platform is built so those credentials are never shown back to anyone through the product.
- Bring your own LLM API keys — you supply and own the credentials behind your install.
- Bring your own AI provider keys — you supply and own the credentials behind your install.
- Secrets live in a managed secret store and are never displayed, logged, or returned by the API.
- Secrets are kept in a managed, secure store and are never shown on screen, written to logs, or sent back by the API.
- PII is redacted by default in admin views, so sensitive contact details aren't casually exposed in the console.
- Personal contact details are hidden by default in the admin dashboard, so sensitive information isn't casually visible.
- Permanent per-person erase scrubs a contact's PII across chat, phone, and email channels — one record, fully removed.
- You can permanently erase one person's data — it removes their personal details from chat, phone, and email records all at once, fully removed.
Correct an answer once and it's live across chat and phone the same turn — and the same control plane that lets you fix facts is the one that keeps secrets out of every response.
Fix an answer once, and it's live in chat and on the phone in the very next message — the same dashboard that lets you correct facts is the one that keeps secrets out of every response.
// 05 — Network & transport
Encrypted, firewalled, and fail-closed.Encrypted, protected by a firewall, and rejects by default.
Traffic to and from your install is encrypted in transit and shielded, and the integrations that call in are cryptographically verified before they're trusted.
Traffic going to and from your install is encrypted and shielded along the way, and any outside system calling in is cryptographically checked before it's trusted.
- HTTPS everywhere, with TLS 1.2+ enforced for transport encryption.
- HTTPS everywhere, with TLS 1.2 or newer required to encrypt traffic.
- A web application firewall sits in front of the platform, inside a private network with least-privilege access.
- A web application firewall sits in front of the platform, inside a private network where each part only has the access it actually needs.
- Inbound webhooks are cryptographically signature-verified and fail closed — an unverified call is rejected, not waved through.
- Incoming webhooks have their signatures checked, and reject by default — an unverified call is turned away, not let through.
- Least-privilege access throughout, so each component reaches only what it needs.
- Minimal access everywhere, so each piece of the system can only reach what it actually needs.
// 06 — Reliability & operations
Watched continuously, backed up daily, tested before every deploy.Watched around the clock, backed up every day, tested before every update.
A platform that answers the public 24/7 has to stay up and stay correct. LINAsystems is monitored across every service in your install, scales for spikes, backs up daily, and rolls back fast — and nothing ships without passing the full test suite.
A platform that talks to the public around the clock has to stay up and stay accurate. LINAsystems is monitored across every part of your install, scales up automatically when traffic spikes, backs up every day, and can roll back quickly — and nothing goes out the door without passing the full set of tests.
- Continuous health monitoring with automated alerts across every service in your install.
- Ongoing health checks with automatic alerts across every service in your install.
- Auto-scaling for traffic spikes, so a busy moment doesn't become an outage.
- Automatic scaling for traffic spikes, so a busy moment doesn't turn into an outage.
- Daily backups with documented recovery objectives: RTO ~15 minutes, RPO ~1 day.
- Daily backups with clear recovery targets: back up and running in about 15 minutes, losing at most about a day's data.
- Fast, low-risk rollback when a change needs to be reversed.
- A fast, low-risk way to undo a change if something needs to be reversed.
- Backed by 2,600+ automated tests passing, run before every deployment.
- Backed by 2,600+ automated tests that have to pass before anything ships.
Built on a platform running in production — the same engine running in a real, live operation, branded to be trusted with your name.
Built on a platform that's already running in production — the same engine powering a real, live operation today, branded to be trusted with your name.
Have a specific security or compliance question? Start with the FAQ or reach us at hello@linasystems.org.
Have a specific security or compliance question? Start with the FAQ, or reach us directly at hello@linasystems.org.