Security & Trust
Trust is an engineering problem. We treat it like one.
Below is a plain-language summary of how we handle data, run our infrastructure, govern our models, and respond when things go wrong. Buyers on procurement: our SIG-Lite, DPA, and subprocessor list are available on request.
Controls
The technical controls we operate today.
Encryption in transit and at rest
All customer data is encrypted in transit with TLS 1.3 and at rest with AES-256. Keys are managed through a dedicated KMS with strict rotation policies.
Model data handling
Customer inputs are never used to train foundation models without explicit opt-in. Inference logs are retained only for abuse prevention and service health, with configurable retention windows.
Least-privilege access
Production systems use SSO with hardware-key-enforced MFA, just-in-time elevation, and full audit trails. Every access event is logged and reviewed.
Separation of environments
Development, staging, and production are physically separated with independent credentials, independent networks, and independent key material.
Vulnerability management
Continuous dependency scanning, static analysis on every pull request, and third-party penetration testing on an annual cadence with findings published internally.
Incident response
Documented runbooks, a 24/7 on-call rotation, and a public post-incident review practice. Material incidents are communicated to affected customers within 72 hours.
Compliance
Where we stand on certifications.
We publish our roadmap honestly. Items marked In progress or Planned are genuinely on the calendar, not aspirational.
| Standard | Status | Notes |
|---|---|---|
| SOC 2 Type II | In progress | Audit period open; report expected 2026 Q4. |
| GDPR | Compliant | EU representative appointed; DPAs available on request. |
| CCPA | Compliant | Consumer rights workflows operational. |
| ISO 27001 | Planned | Target readiness 2027 H1. |
Responsible AI
We govern models like we govern code.
Evaluation before deployment
Every shipped model is covered by a versioned evaluation harness with adversarial, fairness, and safety suites. Regressions block release.
Public model cards
We publish a model card for every capability we ship — describing intended use, training data, known limitations, and red-team findings.
Human oversight for sensitive outputs
For outputs with material real-world consequences, we design workflows that keep a qualified human in the loop and are transparent about model uncertainty.
Reporting a vulnerability? Email analyticitytech@gmail.com with the subject line Security report. We commit to acknowledge within two business days and provide a status update within ten.