Users and their roles and departments can be managed on the customer IDP. For regular users, data will be separated using access groups. Additionally, there are administrative roles for the technical admin (no data access) and support user (access to all data). This can be adjusted to meet customer needs during the integration project.
Change Management Regulations:
Service Level Agreements and Performance Monitoring:
Confidentiality, Data Security, and Data Protection:
Contract Termination and Data Return:
Outbound: Analytics provider (Clarity, Mixpanel, or similar, sensitive data is anonymized in the browser before transmission, audit trail available for client verification), transmitted exclusively via TLS from the browser.
In these slides, you will see how amaise can be integrated into the core system of your organization.
Yes, access to the application is exclusively through Google Chrome.
The contracting party is amaise AG.
At amaise, we operate a comprehensive backup program. This includes our internal systems, where our backup measures are aligned with system recovery requirements. Regarding our cloud products, specifically for you and your application data, we have also established extensive backup measures. We use the snapshot feature of Amazon RDS (Relational Database Service) to create daily automated backups of each RDS instance. Amazon RDS snapshots are retained for 30 days, support point-in-time recovery, and are encrypted with AES-256 encryption. The backup data is not stored externally but is replicated across multiple data centers within a specific AWS region.
amaise is a Swiss company. Data processing and storage are carried out, at the customer's choice, either in Switzerland, in Germany or in anther country of the customers choice.
Customer data in our amaise cloud is encrypted during transmission over public networks using TLS 1.2+ to protect against unauthorized disclosure or alteration. Our TLS implementation enforces the use of strong ciphers and key lengths, provided they are supported by the browser. All data at rest is encrypted with the industry-standard AES-256.
The client's data is encrypted at the client's site before being transferred to the cloud. The client exclusively retains key control (bring your own key). This allows the client to irrevocably delete the key and thus the data at any time.
The security of customer documents is a central design goal of the amaise system. All documents are protected during transmission between customers and amaise servers by industry-standard SSL (Secure Sockets Layer) with 256-bit end-to-end encryption. To protect documents while they are stored in the cloud, amaise uses only top-tier service providers that have passed annual SOC 1/SSAE 16/ISAE 3402 audits. These providers maintain data centers with extensive physical access controls, including professional security, intrusion detection, video surveillance, and two-factor authentication for all personnel. Additionally, these providers offer redundancy against natural disasters or system failures by securing and replicating customer data in physically separate data centers.
The client has the right to conduct a security audit of their company workspace in the amaise cloud at any time.
The original data is always stored in the customer's primary system. The meta-information extracted by amaise or the annotations added by the users can be transferred back to the customer's primary system at any time.
Although our customers use a shared cloud-based infrastructure when using our cloud products, we have taken measures to ensure they are logically separated so that one customer's actions cannot compromise the data or services of other customers. To achieve logical isolation of our customers, we employ a process we call "Strong Tenant Isolation." This concept ensures that:
Each availability zone is designed to be isolated from failures in other zones and provides low-latency, cost-effective network connectivity to other AZs within the same region. This high availability across multiple zones is the first line of defense against geographic and environmental risks and ensures that services running in multi-AZ deployments should withstand an AZ failure. amaise uses the multi-AZ deployment mode for Amazon RDS (Amazon Relational Database Service). In a multi-AZ deployment, Amazon RDS provisions and maintains a synchronous standby replica in a different AZ within the same region to provide redundancy and failover capability. The AZ failover is automated and typically takes 60-120 seconds, ensuring that database operations can resume as quickly as possible without administrative intervention.
Since our cloud products utilize a multi-tenant architecture, we can integrate additional security controls into the decoupled application logic. A monolithic application per tenant would typically not introduce further permission checks or rate limitations, for example, in cases of high query or export volumes. The impact of a single zero-day vulnerability is drastically reduced as the scope of services is limited. Additionally, we have incorporated preventive controls into our products, all fully hosted on our amaise cloud platform. The primary preventive controls include:
AWS maintains multiple certifications for the protection of its data centers. These certifications cover physical and environmental security, system availability, network and IP backbone access, customer provisioning, and problem management. Access to the data centers is restricted to authorized personnel, verified through biometric identity verification measures. Physical security measures include on-site security personnel, video surveillance, traps, and additional measures to protect against intruders.
amaise uses a state-of-the-art multi-tenant microservice architecture that leverages all the latest technologies and best practices.
Based on our cloud infrastructure, we have built and operate a multi-tenant microservice architecture as well as a shared platform to support our products. In a multi-tenant architecture, a single service serves multiple customers, including databases and computing instances required for running amaise. Each service contains the data for multiple tenants, but the data of each tenant is isolated and inaccessible to other tenants.
amaise cloud uses Auth0 to provide identity management in the most secure way. For authentication, user data can be managed in a database hosted by Auth0, or the customer's IDP can be integrated with any single sign-on protocol such as SAML or OpenID Connect. In both cases, additional attack protection from Auth0 is applied, including multi-factor authentication, bot detection, suspicious IP throttling, and brute-force protection. If suspicious activity is detected and the user is blocked, both the user and amaise are immediately notified. For more information, please refer to Auth0.
Yes, we ensure this automatically with software for all dependencies used.
Our platform employs a least-privilege model for data access. This means that all data is only accessible to the service responsible for storing, processing, or querying it. For example, the OCR service, which performs document OCR, has a dedicated storage that no other services can access. Likewise, the OCR work service cannot access data from storage allocated to other services. All requests must go through the APIs of the involved services. We use JSON Web Tokens (JWTs) to securely handle authorization outside the application, ensuring that our identity systems and the tenant service are the sources of truth. Tokens can only be used for their authorized purposes. When you or someone from your team calls a microservice or shard, the tokens are forwarded to your identity system and validated against this system. This process ensures that the token is current and signed before the corresponding data is released. Combined with the authorization and authentication required to access these microservices, the impact of a compromised service is limited. Furthermore, we proactively identify potential vulnerabilities in our product to minimize their impact on you. We conduct a series of security programs to identify, detect, and respond to security threats.
RPO and RTO: Each 1 day, ensured through daily backups and continuous monitoring.
The AWS cloud infrastructure is certified according to all common security standards (see here). The application and infrastructure of amaise undergo automatic vulnerability and penetration tests daily. Additionally, legal-i is ISO 27001 certified. The Information Security Management System of amaise monitors the amaise system daily to ensure compliance with ISO 27001.
At AWS. The customer can choose whether the service should be operated in Switzerland (Zurich), in the Frankfurt region in Germany or in another region of choice.
We ensure that requests to microservices contain metadata about the customer or tenant requesting access. This is known as the Tenant Verification Service. When a request is initiated, the context is read and internalized in the code of the running service, which is used to authorize the user. Every service access, and thus every data access in legal-i, requires this tenant identification; otherwise, the request is denied.
Authentication and authorization of services are managed through AWS IAM roles. An explicit allowlist defines which services are permitted to communicate, and authorization details specify which commands and paths are available. This restricts the potential lateral movement of a compromised service.
Service authentication, authorization, and termination are controlled by AWS infrastructure components. This ensures that vulnerabilities in application code cannot bypass these controls. Executing remote code would require compromising the underlying host and bypassing Docker container boundaries, rather than merely altering the application logic.
Yes, we ensure this automatically with software for all dependencies used.
Inbound PDFs are checked and strictly processed. No contamination possible.
The amaise agent component is deployed on-premises. Authentication with the legal-i cloud is performed using a secret key, which can be rotated by the customer. IP whitelisting is also possible. Authentication is done via Auth0 (IDP provider).
Considérez amaise comme une assistante IA pour votre équipe de gestion des sinistres. Elle automatise les tâches lourdes du traitement des sinistres – lecture de montagnes de dossiers médicaux, de notes d’experts et de documents juridiques – et extrait pour vous les informations importantes. Vos experts passent ainsi moins de temps à parcourir les documents et plus de temps à prendre des décisions. En pratique, amaise identifie rapidement les informations pertinentes et présente un résumé structuré de chaque sinistre, évitant aux gestionnaires de faire défiler des PDF pendant des heures. En soulageant les spécialistes de ces tâches fastidieuses tout en s’assurant qu’aucun élément clé n’est oublié, la plateforme leur permet de travailler plus vite et de prendre de meilleures décisions. Résultat : les sinistres sont réglés plus rapidement, avec moins d’erreurs, car votre équipe dispose presque instantanément des bonnes informations.