— / SecurityUpdated Apr 2026

Security.
Built in, not bolted on.

Production AI systems have to survive procurement review, security audits, and incident response. Here's how we engineer for all three.

01

Our posture at a glance

We build and ship AI systems for healthcare, financial services, legal, and government-adjacent operators — clients whose data handling is regulated by default. That means every production build we ship starts from a compliance-aware baseline, not a retrofit.

HIPAA-aware

PHI handling, minimum-necessary access, BAA available, audit-ready workflows. Shipped for dental, medical, and mental health clients.

SOC2-aligned

Controls mapped to SOC2 Type II criteria. Access review, change management, monitoring, and incident response documented.

GDPR-ready

Data residency options, DPAs available, right-to-delete workflows, and consent-aware data flows.

Private cloud

Optional deployment inside a client-owned VPC (AWS, GCP, Azure) for engagements where data residency or isolation is non-negotiable.

02

Controls we run

Encryption in transit
TLS 1.2+ end-to-end
Encryption at rest
AES-256 via platform vendors
Access control
Role-based, least-privilege
Audit logging
Every model call, tool call, admin action
Secret management
Platform-managed secrets · zero hard-coded keys
Incident response
24-hour disclosure for confirmed incidents
Vendor review
Only SOC2 + ISO27001 platforms in production
Dependency scanning
Automated CVE monitoring on every build
Human-in-loop gates
Configurable review paths for sensitive actions
03

Infrastructure partners

We ship on vendor-grade infrastructure: Vercel (SOC2 Type II), Supabase (SOC2 Type II, HIPAA-eligible), Anthropic Claude (SOC2, HIPAA, ISO27001), OpenAI (SOC2 Type II, GDPR), Stripe (PCI DSS Level 1), Telnyx (SOC2 Type II, HIPAA-eligible). We do not run custom crypto or proprietary auth systems unless required.

04

Data handling

Client data is processed only for the scope of the engagement, is never used to train external models, and is purged on request or at engagement close. We sign BAAs and DPAs as required.

Model interactions route through zero-retention API endpoints where available. For Claude and GPT, we use opt-out modes that disable training use of prompts and completions.

05

Audit and human oversight

Every enterprise engagement ships with an audit trail covering model calls, tool invocations, and administrator actions. Human-in-the-loop review paths are standard for any AI system touching regulated data, customer money, or clinical decisions.

06

Incident response

We commit to 24-hour disclosure on any confirmed security incident affecting client data or systems. Enterprise engagements include a named security contact, documented escalation path, and post-incident review within 10 business days.

07

Document requests

The following are available on request with a signed MSA or NDA: security overview deck, SOC2 alignment documentation, sample DPA, sample BAA, data flow diagrams, and vendor list.

Request security pack SLA commitments →