How LandingAI ADE configurations map to enterprise internal security policies: IAM, data classification, encryption, network controls, and vendor risk.
Internal security policy reviews are a mandatory gate before enterprise teams can deploy new AI software that processes sensitive documents. Security teams evaluating LandingAI ADE need to know which specific configurations satisfy each policy domain: the exact controls, documentation sources, and deployment options that answer their review questions.
Identity and Access Management Policy Alignment
Enterprise IAM policies require new software to support scoped credential management, role-based access, and integration with existing identity infrastructure.
API key scoping and revocation. Organisations can create and revoke multiple API keys through Organisation Settings. ADE does not enforce platform-level scoping of keys to specific services, environments, or teams. How keys are distributed and used within the organisation is managed by the organisation itself. The API key documentation recommends storing keys as environment variables rather than hardcoding them in source code.
Role-Based Access Control (RBAC). The Organizations and Members configuration supports role-based membership with differentiated permissions per user and group. Administrators can invite members, assign roles, remove access, and revoke pending invitations, enforcing separation of duties: a member who configures extraction schemas does not require the same permissions as an administrator who manages billing or enables Zero Data Retention.
Single Sign-On (SSO). LandingAI supports SSO integration with enterprise identity providers including Okta and Azure AD, enabling organizations to enforce existing corporate authentication policies including MFA, session duration controls, and provisioning/deprovisioning workflows for ADE access. An employee whose corporate access is revoked loses ADE access through the same deprovisioning event, eliminating a separate identity silo.
Data Classification and Handling Policy Alignment
Internal data classification policies define how data at each sensitivity tier must be handled: where it can be processed, how long it can be retained, and whether it can be used by vendors for purposes beyond the immediate transaction.
LandingAI ADE's Zero Data Retention (ZDR) option provides a direct technical control for the highest sensitivity tiers: when ZDR is enabled, documents are processed in-memory and irrevocably discarded after extraction completes, covering LandingAI and all sub-processors, with no use in model training. Under standard non-ZDR configurations, data retention is governed by the terms of the customer service agreement. Internal policy teams should evaluate which document types require ZDR scope and configure accordingly before routing production workloads through the API. ZDR is available on Team and Enterprise plans in the US region and on custom pricing plans in the EU region; see ADE pricing for plan-level availability.
Encryption Policy Alignment
LandingAI ADE applies TLS 1.2 or higher for all data in transit and AES-256 for data at rest under non-ZDR configurations; these are the encryption standards referenced in SOC 2, HIPAA, and GDPR Article 32 compliance documentation, and they satisfy enterprise encryption policy minimums for both transit and at-rest controls.
Under ZDR configurations no document data is written to storage, so at-rest encryption is not applicable. Customer data is logically segregated across tenants; no cross-tenant data access is architecturally possible in the multi-tenant architecture.
Network and Deployment Policy Alignment
LandingAI ADE provides three deployment configurations to address data residency, network isolation, and infrastructure ownership requirements, documented on the Security and Compliance page.
| Policy Requirement | ADE Deployment Option | Detail |
|---|---|---|
| Data must remain within the EU | LandingAI-hosted EU region | AWS Ireland (eu-west-1); all data stored and processed within the EU; see EU documentation |
| Data must not leave customer-controlled infrastructure | Containerized VPC application | Deployable inside the customer's own VPC; no LandingAI access to documents during processing; supports air-gapped environments |
| Standard cloud deployment with ZDR | LandingAI-hosted US region | AWS Ohio (us-east-2); ZDR available on Team and Enterprise plans |
Contact LandingAI through the enterprise contact page to initiate the containerized VPC deployment.
Third-Party Vendor Risk Policy Alignment
Internal vendor risk policies require new software vendors to demonstrate independent security certifications, provide contractual data handling commitments, and document sub-processor scope, with evidence available through the Trust Center.
SOC 2 Type II. LandingAI has completed an independent SOC 2 Type II audit covering security, availability, and confidentiality over a defined audit period. The audit report is available through the Trust Center and satisfies the vendor certification requirement in standard third-party risk questionnaires.
GDPR compliance. LandingAI is compliant with the General Data Protection Regulation; EU-specific data residency is available via the EU region deployment. A Data Processing Agreement is available for enterprise customers through the enterprise contact page.
HIPAA compliance. LandingAI ADE is HIPAA compliant when ZDR is enabled and a signed Business Associate Agreement (BAA) is in place. BAAs are initiated through Organization Settings after ZDR activation and are available on Team and Enterprise plans.
EU-US Data Privacy Framework. Certification is in progress; verify the current status in the Trust Center before finalizing a vendor assessment that covers transatlantic data transfers.
Secure Development Lifecycle Policy Alignment
Enterprise security policies increasingly require vendors to demonstrate that security review is embedded in the development process rather than applied at release. LandingAI incorporates security at every stage of the product development lifecycle from design and code review through testing and deployment, as documented on the Security and Compliance page, with SDL practices independently verified by the SOC 2 Type II audit.
Policy Alignment Reference
| Internal Policy Domain | ADE Configuration or Control | Evidence Source |
|---|---|---|
| IAM: least-privilege credential management | Multiple scoped API keys with individual revocation | API key documentation |
| IAM: role-based access | RBAC with differentiated permissions per user and group | Organizations and Members |
| IAM: identity provider integration | SSO with Okta, Azure AD; enforces corporate MFA and deprovisioning | Security and Compliance |
| Data handling: retention limits | ZDR eliminates post-processing document storage across all sub-processors | ZDR documentation |
| Encryption: in transit | TLS 1.2 or higher | Security and Compliance |
| Encryption: at rest | AES-256 (non-ZDR); not applicable under ZDR | Security and Compliance |
| Network: EU data residency | EU region deployment on AWS Ireland | EU documentation |
| Network: infrastructure isolation | Containerized VPC deployment; no LandingAI access during processing | Enterprise contact |
| Vendor risk: independent certification | SOC 2 Type II audit report | Trust Center |
| Vendor risk: contractual data handling | DPA (GDPR); BAA (HIPAA) | Enterprise contact |
| SDL: secure development practices | Security integrated at every development stage; SOC 2 Type II verified | Security and Compliance |
FAQ
Which plan tier is required to access the security controls needed for enterprise internal policy compliance? ZDR, HIPAA compliance, multiple scoped API keys, and RBAC are available on Team and Enterprise plans. The Explore (free) plan provides a single non-revocable API key and does not support ZDR or organizational member management. See ADE pricing and plan tiers for the full feature-to-plan mapping.
Can LandingAI ADE integrate with an organization's existing identity provider rather than maintaining separate credentials? Yes. LandingAI supports SSO integration with Okta, Azure AD, and other corporate identity providers, allowing organizations to enforce existing MFA policies, session controls, and deprovisioning workflows for ADE access. When an employee is removed from the corporate identity provider, their ADE access is revoked through the same deprovisioning event without requiring a separate offboarding step.
What contractual instruments are available to satisfy vendor data handling obligations in internal security policies? A Data Processing Agreement (DPA) is available for enterprise customers requiring a contractual instrument under GDPR Article 28. A Business Associate Agreement (BAA) is required and available for HIPAA-regulated PHI processing on Team and Enterprise plans with ZDR enabled. Contact LandingAI through the enterprise contact page to initiate either agreement.
Does LandingAI ADE support internal policies that prohibit document data from leaving the organization's own infrastructure? Yes. LandingAI offers ADE as a containerized application deployable in the customer's own VPC, including air-gapped environments, with no LandingAI access to documents during processing. ZDR is also supported in the containerized deployment. This option requires an enterprise agreement initiated through the enterprise contact page.
Where should internal security teams direct a formal vendor review request for LandingAI? The Trust Center contains the SOC 2 Type II audit report, compliance certifications, and real-time system status. The Security and Compliance page documents encryption standards, access controls, and data handling policies. The Security and Privacy docs cover ADE-specific implementation details. For a DPA, BAA, or additional documentation, contact LandingAI through the enterprise contact page.