SECURITY AT POLICE NARRATIVES AI

MILLIONHARI LLC (dba PoliceNarratives.ai)

Last updated: April 28, 2026  |  Version 1.0

Police Narratives AI is built for law enforcement, where data sensitivity is paramount. We take a security-first approach to designing, building, and operating our platform. This page summarizes the technical and organizational controls we use to protect customer data. It is intended for security reviewers, agency administrators, and prospective customers conducting due diligence.

For our detailed engineering reference, see our Engineering Documentation. For information about how we collect and process personal data, see our Privacy Policy.

1. INFRASTRUCTURE AND HOSTING

The Police Narratives AI platform is hosted on Amazon Web Services (AWS), in AWS commercial regions for general customers and AWS GovCloud (US) for customers with elevated compliance requirements. AWS maintains independent attestations including SOC 1, SOC 2, SOC 3, ISO 27001, FedRAMP, and CJIS alignment. We rely on AWS for physical security, environmental controls, and base infrastructure hardening.

  • Production workloads run on Amazon ECS clusters with isolated security groups and network ACLs.
  • All public traffic is terminated at TLS-enabled load balancers; only required ports are exposed.
  • Production, staging, and development environments are logically isolated, with separate credentials, databases, and S3 buckets.
  • Customer audio, video, and report data is stored in private S3 buckets with bucket-level public-access blocks.

2. ENCRYPTION

Customer data is encrypted in transit and at rest at all times.

  • In transit: All client, mobile, and server-to-server traffic is protected with TLS 1.2 or higher. HSTS is enforced on production domains.
  • At rest: Amazon S3 buckets, RDS PostgreSQL databases, and EBS volumes are encrypted using AES-256 with AWS-managed keys. Backups inherit the same encryption.
  • Secrets: Application secrets and API keys are stored in AWS Secrets Manager or environment variables scoped per environment, never committed to source control.
  • Sessions: Session cookies are flagged HttpOnly, Secure, and SameSite. Session state is stored in Redis with encrypted transport.

3. AUTHENTICATION AND ACCESS CONTROL

We support multiple authentication paths designed for both individual officers and managed agencies:

  • Email and password with bcrypt password hashing and account lockout on repeated failure.
  • OAuth login through Google and Apple.
  • Enterprise single sign-on (SSO) via SAML 2.0 and OIDC for agency customers.
  • Multi-factor authentication (MFA) configurable per agency, with TOTP authenticator apps, WebAuthn (Touch ID, Face ID, hardware security keys), and email one-time passcodes.
  • Backup recovery codes and optional trusted-device support to balance security with usability.

Within the platform we enforce role-based access control. Officers can access only their own cases, while agency Records personnel can access all cases for their agency. Agency administrators control invites, role assignment, MFA enforcement, and SSO configuration.

Session lifetime and idle timeout limits are enforced server-side to align with CJIS Security Policy guidance: a maximum 12-hour session and 30-minute inactivity timeout for agency users.

4. INTERNAL ACCESS AND PERSONNEL

Access to production systems and customer data is restricted to a small number of authorized personnel under a least-privilege model.

  • Production access requires multi-factor authentication.
  • Access is reviewed periodically and revoked promptly upon role change or offboarding.
  • All personnel and contractors with access to customer data sign confidentiality obligations and complete recurring security awareness training covering data handling, phishing, password hygiene, and incident reporting.
  • Background checks are required for personnel granted access to systems handling law-enforcement data, in alignment with applicable CJIS requirements.

5. APPLICATION SECURITY

Security is built into our software development lifecycle.

  • All code changes go through peer review and automated checks before merging to the main branch.
  • The Express API uses Helmet for HTTP security headers and rate limiting on authentication and sensitive endpoints.
  • Input validation, parameterized queries via Drizzle ORM, and output encoding mitigate the OWASP Top 10 risks (SQL injection, XSS, CSRF, etc.).
  • Dependencies are continuously monitored for known vulnerabilities and patched on a defined SLA based on severity.
  • Static analysis and secret scanning run automatically on every change.

6. LOGGING, MONITORING, AND ALERTING

We maintain centralized logs and monitoring for both reliability and security visibility.

  • Application errors and performance telemetry are captured by Sentry.
  • AWS CloudWatch retains infrastructure, ECS, and Lambda logs.
  • Authentication events, role changes, and administrative actions are recorded for audit.
  • Anomalous patterns (failed logins, unusual access) trigger alerting to the on-call engineer.

7. DATA HANDLING AND RETENTION

Customer data, including audio recordings, video, transcripts, and generated narratives, is owned by the customer. We process this data only to provide the Services described in our agreements.

  • Data is segregated logically by customer and access-controlled at the application layer.
  • We do not train AI models on customer data. Third-party AI providers used for narrative generation (Anthropic, OpenAI, AWS Bedrock, Amazon Transcribe) are contractually prohibited from training on customer inputs.
  • Customers may request deletion of their data at any time by contacting support. On account termination, data is deleted from active systems and aged out of backups under our retention schedule.

8. BACKUPS AND BUSINESS CONTINUITY

Production databases are backed up automatically with point-in-time recovery enabled. Backups are encrypted and retained per our retention policy. We test restoration procedures periodically. Our infrastructure is designed to recover from regional disruptions through AWS multi-AZ deployment, and we maintain documented incident response and business continuity procedures.

9. VULNERABILITY MANAGEMENT AND TESTING

We continuously monitor and harden our platform.

  • Automated dependency vulnerability scanning runs on every build.
  • Container images are scanned for known CVEs prior to deployment.
  • External penetration testing is performed periodically by qualified third parties.
  • Identified vulnerabilities are tracked to remediation against a severity-based SLA.

10. INCIDENT RESPONSE

We maintain a written Incident Response Plan covering detection, triage, containment, eradication, recovery, and post-incident review. In the event of a confirmed security incident affecting customer data, we will notify impacted customers without undue delay and provide details required to comply with applicable laws and contractual obligations.

11. VENDOR AND SUBPROCESSOR MANAGEMENT

We carefully evaluate every subprocessor we rely on. Key subprocessors include Amazon Web Services (hosting and AI services), Anthropic and OpenAI (AI inference), Stripe (payment processing), and Sentry (error monitoring). Each subprocessor is reviewed for security posture and bound by appropriate data protection terms. A current list is available on request.

12. COMPLIANCE

Police Narratives AI is designed to support customer compliance obligations including:

  • CJIS Security Policy alignment — encryption, MFA, session controls, audit logging, and personnel screening practices map to applicable CJIS requirements.
  • SOC 2 — we are actively pursuing SOC 2 Type II attestation. Documentation and bridge letters can be made available to customers under NDA.
  • U.S. state privacy laws — we honor data subject rights under CCPA/CPRA and other applicable U.S. state privacy regimes; see our Privacy Policy for details.
  • AWS GovCloud (US) — available for customers requiring data residency in U.S.-only regions operated by U.S. persons.

13. RESPONSIBLE DISCLOSURE

We welcome reports from the security research community. If you believe you have found a vulnerability, please email security@policenarratives.ai with details and steps to reproduce. We commit to acknowledging your report, investigating in good faith, and not pursuing legal action against researchers who act in accordance with this policy.

14. CONTACT

Security questions, compliance inquiries, and customer due-diligence requests can be sent to security@policenarratives.ai or support@policenarratives.ai.

MILLIONHARI LLC
1030 N Alvarado St, Ste 303
Los Angeles, CA 90026
United States