Security

This Security Overview is provided for information only. It describes Elnora AI's security program as of the date stated and does not create or amend any contractual right, warranty, representation, or service commitment. Elnora's binding obligations are set out exclusively in the applicable Order Form, Master Service Agreement, Data Processing Addendum, and Service Level Agreement, which control in the event of any conflict.

Enterprise-Ready Security, Built for Life Sciences

Elnora is designed from the ground up to meet the security and compliance requirements of biotech and pharmaceutical organizations. We understand that your research data is among your most valuable assets, and we treat its protection as our highest priority.

Compliance & Certifications

Elnora AI maintains industry-recognized security certifications.

Our security program is built on industry best practices. We conduct regular security assessments and maintain comprehensive policies covering access control, data management, incident response, and secure development. Our program undergoes external audits to validate our controls.

For compliance documentation, security questionnaires, or to request our Trust Package, visit our Trust Center.

Your Data, Your Control

We do not train AI models on your data. Elnora uses established foundation models and does not use customer data for model training. Customer inputs sent to those foundation models are processed under each provider's standard commercial API terms, which prohibit training on your data. Retention is limited to each provider's standard abuse-monitoring period (typically up to 30 days) and is never used for training. See our Data Processing Addendum and subprocessor list for details.

Your research data remains exclusively yours. Each customer's data is logically separated and never commingled with other customers. We maintain strict data isolation at the application and infrastructure level to ensure your proprietary protocols, experimental designs, and research findings are protected.

All protocols and content generated by Elnora belong entirely to you. We do not claim any intellectual property rights over your outputs, and your research data is not shared with third parties except with subprocessors engaged to deliver the service (under equivalent confidentiality and security obligations) or where disclosure is required by law, court order, or a valid public-authority request, which we handle as described in our Privacy Policy. You may request deletion of your data at any time, subject to any retention required by applicable law; deletion timelines and certification are set out in our Data Processing Addendum.

Infrastructure & Data Protection

Elnora runs on enterprise-grade cloud infrastructure with security controls designed for sensitive research data.

Encryption

All data is encrypted both in transit and at rest. Data in transit is protected using TLS 1.2 or higher, ensuring secure communication between client applications and our services. Data at rest is encrypted using AES-256 encryption, and encryption keys are managed through dedicated key management services with strict access controls.

Network Security

Our infrastructure follows a defense-in-depth approach. Backend services are isolated in private network segments that are not directly accessible from the internet. Only web-facing services are exposed through secured endpoints protected by firewalls and intrusion detection systems. This network isolation ensures that your research data is protected by multiple layers of security.

Data Residency and International Transfers

By default, customer data is hosted in the United States. European Union hosting is available upon request for organisations with data residency requirements.

For customers subject to GDPR, UK GDPR, or the Swiss FADP, cross-border transfers of personal data from the EEA, UK, or Switzerland to the United States are governed by the SCCs (and the UK Addendum / Swiss adaptations) incorporated into our Data Processing Addendum. EU-region hosting eliminates the need for transfer mechanisms for data stored in-region; residual transfers to US-based subprocessors (where applicable) are governed by the Standard Contractual Clauses and onward-transfer terms incorporated into our Data Processing Addendum (or, where a subprocessor is certified, the EU-US Data Privacy Framework). See our Data Processing Addendum for details.

Availability and Business Continuity

Our platform is built on redundant infrastructure across multiple availability zones to ensure high availability. We perform regular backups with tested recovery procedures to protect against data loss. We commit to 99.0% monthly uptime, with details available in our Service Level Agreement.

Our business continuity and disaster-recovery programme targets a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 24 hours for production customer data. Recovery procedures are tested at least annually. Customers with stricter BC/DR requirements should contact us to discuss contractual commitments.

Access & Permissions

Elnora provides controls to help you manage who can access your organization's data.

Authentication

Enterprise single sign-on via SAML 2.0 or OIDC federation against your organisation's identity provider can be enabled for enterprise deployments on request; contact us to confirm the supported identity providers for your plan. Multi-factor authentication (MFA) is enforced for privileged access to production infrastructure and Elnora administrative accounts; for SSO-connected end-user deployments, MFA policy is delegated to your identity provider, and for non-SSO logins MFA is enforced at the Elnora layer.

Authorization

Role-based access control allows you to assign appropriate permissions based on team member responsibilities. Administrative controls enable you to manage team members, control access to sensitive data, and maintain oversight of your organization's Elnora environment.

Audit Logging

Comprehensive audit logs capture user activity within the platform. These logs support security monitoring, compliance requirements, and forensic investigation if needed. These logs record who accessed what data and when, supporting transparency and accountability; audit data can be made available to enterprise customers on request.

Security Operations

We maintain continuous security operations to detect and respond to threats promptly.

Continuous Monitoring

Our infrastructure is monitored around the clock using automated threat detection systems. Security events are collected, analyzed, and correlated to identify and act on potential threats quickly. Suspicious activity triggers immediate alerts to our security team.

Vulnerability Management

We regularly scan our systems for vulnerabilities and prioritize remediation based on risk. Our remediation targets by severity, set out in Schedule 1 §6 of our Data Processing Addendum, are:

We engage an independent third-party security firm for penetration testing at least annually. Identified findings are tracked to remediation within the SLA schedule above. A summary of the most recent test scope and findings status is available in our Trust Package on request.

We operate a Vulnerability Disclosure Policy for external security researchers. Reports and safe-harbor terms are at elnora.ai/vulnerability-disclosure.

Incident Response

We maintain documented incident response procedures to ensure rapid and effective response to security events. In the event of a security incident affecting your data, we will notify you within 72 hours of Elnora becoming aware of the incident, and provide regular updates until resolution. This reflects our obligation as a processor under GDPR / UK GDPR Article 33(2) to notify you without undue delay, and supports your ability, as controller, to meet your own Article 33 supervisory-authority and Article 34 data-subject notification obligations. The binding notification terms are set out in our Data Processing Addendum; you remain responsible for your own regulatory notifications. Post-incident reviews help us continuously improve our security posture.

Secure Development

Security is integrated into our software development lifecycle from the start.

Our development practices include mandatory code review for all changes before they reach production. We use automated security scanning to identify vulnerabilities in our code and dependencies. Security updates for third-party components are tracked and applied promptly to address known vulnerabilities.

All code changes go through protected branches that require peer review and passing security checks before deployment. This ensures that security is not an afterthought but a fundamental part of how we build and maintain the platform.

Vendor & Subprocessor Security

We hold our vendors to the same high standards we set for ourselves. All subprocessors with access to customer data undergo security review before onboarding. We assess each subprocessor's risk and reassess higher-risk subprocessors at least annually.

Our vendor security program includes verification of SOC 2, ISO 27001, or equivalent certifications. We require contractual security and data protection commitments from all vendors who may access customer data. We maintain ongoing monitoring of vendor security posture and review their compliance status regularly.

A list of our subprocessors is available in our Trust Center. For data processing terms, see our Data Processing Addendum.

Responsible AI Use

Elnora is offered on a Research Use Only (RUO) basis. It is not a medical device and is not validated or approved for clinical, diagnostic, or treatment use. AI-generated outputs are drafts for expert review. Customers are responsible for ensuring all outputs are reviewed and validated by qualified scientists before use.

For permitted and prohibited uses, see our Acceptable Use Policy.

Contact & Resources

For security inquiries, vulnerability reports, or to request our SOC 2 report, contact us at security@elnora.ai.

Last updated: June 16, 2026