Built to be trusted in production.
Open source, self-hostable, and reviewed by teams running AI in regulated environments. Security is a default, not a feature.
How we think about security.
Data ownership
Self-host the framework. AINative never sees your prompts, responses, or API keys. There is no SaaS layer to bypass.
Secret handling
Provider API keys stay server-side. The client never receives credentials. Tools execute in your environment, with your permissions.
Transport security
TLS everywhere. SSE and WebSocket transports support cert pinning, custom headers, and signed requests.
Self-hosting
Runs in your VPC, on-prem, or air-gapped. No outbound calls required. No telemetry, ever.
Auditability
Open source. Every line of the runtime is inspectable on GitHub. Pinned, semver-versioned releases.
Compliance
Materials available for SOC 2, ISO 27001, and HIPAA reviews. Provided to Enterprise customers.
What we do, in detail.
Vulnerability disclosure
Report security issues to security@ainative.dev. We respond within 24 hours and publish CVEs through GitHub Security Advisories.
Dependency policy
Zero runtime dependencies in the client core. Server adapters use only well-maintained, audited packages with automated updates.
Release signing
All npm and PyPI packages are signed and provenance-attested. Verify with sigstore or your registry's UI.
Reproducible builds
CI builds are deterministic. Lockfiles are committed. You can reproduce any release locally.
Need security documentation?
Enterprise customers receive a complete security pack including SOC 2 review materials, pen-test summaries, and a vendor questionnaire.