# LLM Security & Privacy Trusty is built on enterprise-grade LLM infrastructure with security and privacy controls at every layer. This page explains how data flows through Trusty's AI features, what the model can and cannot access, and how your data is protected. {% hint style="info" %} **Infrastructure note:** In the current phase, Trusty connects via the AWS Bedrock API. Future phases may include support for additional cloud provider APIs, including Azure and GCP. {% endhint %} ## LLM Hosting Trusty is powered by the Claude family of models (ranging from Haiku to Opus), accessed through Amazon Bedrock — AWS's fully managed AI service. Your content is encrypted at rest and in transit, and stays within the AWS region where you are located. Data is never moved outside your region without your knowledge. Amazon Bedrock maintains the following certifications and compliance standards: FedRAMP Moderate, SOC 1/2/3, ISO 9001/27001/27017/27018/27701, HIPAA, GDPR support, and CSA STAR Level 2. ## LLM Training Trusty uses pre-trained foundation models from Anthropic (Claude) and other leading AI providers, accessed via Amazon Bedrock. **Your data is never used to train or fine-tune any model.** Neither AWS nor any third-party model provider — including Anthropic — uses your inputs or outputs to improve their models. ## Data Isolation Across Instances Each session is fully isolated. Because no user data is used for model training, there is no mechanism by which your data can influence another user's experience. Data processed within Amazon Bedrock is never shared with third-party providers. ## What Data the LLM Can Access Trusty follows a least-privilege approach to data access during each session: * **No unrestricted access:** Trusty does not have broad access to your organisation's data or systems. * **Scoped tooling:** It interacts with data only through narrowly defined tools and interfaces, limited to the task at hand. * **RBAC enforcement:** Access is governed by Role-Based Access Controls (RBAC). Trusty can only interact with data you are authorised to access — nothing more. * **No background collection:** There is no ambient data collection occurring outside of active sessions. ## Summary | Concern | Trusty's Position | | ------------------------------ | -------------------------------------------------- | | Where is data hosted? | AWS region-local, encrypted at rest and in transit | | Is my data used for training? | No — never | | Can my data reach other users? | No — no training means no cross-instance leakage | | What data does the LLM see? | Only what's needed, governed by RBAC | ## FAQ #### Does Trusty use my data to train the model? No. Your inputs and outputs are never used to fine-tune or train any underlying model. This applies to both AWS and Anthropic. #### Can other users access my data through Trusty? No. Sessions are fully isolated. Because no user data is used for training, your data cannot be surfaced to another user or instance. #### What does Trusty actually send to the LLM? Trusty sends only the metadata that Decube has already ingested — such as table names, column names, descriptions, and profiling statistics. It never accesses raw data records from your warehouse. #### Which cloud provider powers Trusty's LLM features? In the current phase, Trusty connects via the AWS Bedrock API. Decube plans to explore support for additional tenant APIs — including Azure and GCP — in future phases. If you are hosted on Azure and would like to be added to the waitlist, reach out to your Account Manager. #### Where is my data stored during processing? Data remains within the AWS region where you are located. It is encrypted at rest and in transit, and is never moved outside your region without your knowledge. #### Who can see my Trusty chat history? Your chat history is visible to you to help you revisit previous sessions. Decube may review anonymised logs strictly for troubleshooting and quality improvement purposes. ## Further Reading For detail on Amazon Bedrock's security and compliance posture, refer to the following AWS resources: * [Amazon Bedrock Security & Compliance](https://aws.amazon.com/bedrock/security-compliance/) — Overview of Bedrock's security features, compliance certifications, and data protection capabilities. * [Amazon Bedrock Security Documentation](https://docs.aws.amazon.com/bedrock/latest/userguide/security.html) — Technical documentation covering identity and access management, data protection, logging, and more. * [Amazon Bedrock FAQs – Security](https://aws.amazon.com/bedrock/faqs/) — Answers to common security questions directly from AWS. For questions or additional compliance documentation (such as AWS compliance certificates), contact .