Secure AI by architecture: how ManuFind isolates and protects your data
A technical look at the layers underneath ManuFind's AI — tenant isolation, role-aware access, governed tools and auditable actions.
Most AI products answer the security question with policy: a promise about what the system won't do. ManuFind answers it with architecture: a design in which the unsafe thing is structurally hard to do in the first place. This paper walks through the layers.
Tenant isolation at the database layer
ManuFind is multi-tenant, and isolation is enforced by the database itself — row-level security policies scope every query to the requesting organization. Application code doesn't get to forget a filter; the database refuses to return another tenant's rows. Storage follows the same boundary, with per-tenant prefixes and scoped credentials.
Access control that follows you into the AI
Permissions are role-based, and — critically — the AI inherits them. When someone asks a question, retrieval runs as that person: the model is only ever shown documents the asker is allowed to see, so it cannot leak what it never saw. API keys carry explicit scopes, and those scopes are re-clamped to the owner's current role on every request — demote a user and every key they ever minted is demoted with them, instantly.
Governed tools, not open-ended access
AI assistants reach ManuFind through our Model Context Protocol (MCP) server as a set of discrete, governed tools — document search and retrieval, structured-data lookups, drafting and ledger operations — each one permission-checked on every request, gated by the customer's plan, and authenticated per-request with scoped mf_live_ API keys. There is no "do anything" endpoint: a key scoped to read documents cannot delete them, and a tool a role isn't entitled to simply isn't callable. Requests pass through prompt-injection screening on the way in, and outputs are filtered on the way out.
The models stay inside the walls — specifically
It's worth being concrete about what touches your documents. Language-model inference runs on Amazon Bedrock inside ManuFind's own AWS environment — the models come to the data's house, not the other way around. Scanned pages are read with Amazon Textract; search embeddings are generated with Amazon's Titan models. All of it operates inside the same governed cloud boundary as your storage. Your documents are never sent to consumer AI services on the open internet, and under Bedrock's terms they are never used to train foundation models. ManuFinder AI works for you without your knowledge working for anyone else.
Hardened infrastructure, defined as code
Identity is handled by Amazon Cognito with SSO support. External traffic is fronted by API Gateway, and agentic/MCP traffic by AgentCore Gateway, behind best-practice network segmentation. The entire platform is defined as infrastructure-as-code in Terraform — reviewable, repeatable, and continuously verified: every release passes application code scans, infrastructure code scans, pipeline security gates and a full QA suite before it deploys. Security that exists as code can be audited; security that exists as habit cannot.
Everything leaves a trail
Administrative actions, AI tool calls, API-key activity and data exports are written to an audit log your administrators can review. Controls are aligned to SOC 2, data is encrypted in transit and at rest, and retention policies and full data export are built in — your data is yours, including the right to take all of it with you. Your compliance story doesn't depend on screenshots and good intentions.
Want the deeper dive for your security review — architecture diagrams, control mappings, the works? Talk to our team.