Trust is an engineering discipline.
AiVRIC is built to help teams continuously reduce risk while maintaining strong security controls, reliable operations, and transparent governance. This Trust Center summarizes our security posture, compliance practices, and customer data protections.
Security Overview
We operate a defense-in-depth program aligned to modern security and privacy expectations for SaaS and customer-hosted deployments. The highlights below are intended to be concise and procurement-friendly.
Identity & Access
Strong authentication, least privilege, and lifecycle control for privileged and standard access.
- Role-based access control (RBAC) and separation of duties
- SSO/SAML support and optional SCIM provisioning (enterprise)
- MFA enforced for privileged access
Data Protection
Customer data control is central to our architecture across SaaS and customer-hosted models.
- Encryption in transit (TLS) and at rest where applicable
- Scoped access to customer environments; principle of least access
- Configurable retention and export options
Secure Engineering
Security is embedded into the software lifecycle through review gates and operational assurance.
- Secure SDLC, code review, and dependency hygiene
- Automated scanning and vulnerability management workflows
- Change management and release controls
Monitoring & Detection
We monitor for operational health and security signals to support response and resilience.
- Centralized logging and alerting for security-relevant events
- Incident triage playbooks and escalation paths
- Customer-hosted deployments can integrate into your SIEM/SOC
Incident Response
We maintain an incident response program focused on containment, communication, and learning.
- Documented IR plan, roles, and severity handling
- Post-incident reviews and corrective actions
- Customer notifications aligned to contractual and legal requirements
People & Governance
Security governance includes policy management, training, and risk oversight.
- Security awareness training and acceptable use standards
- Vendor risk management and procurement controls
- Risk assessments tied to product and operational changes
Compliance & Assurance
We align our program to widely adopted control frameworks and publish high-value artifacts for customer review. Where a third-party report is under NDA, the Trust Intake process provides a secure distribution path.
| Item | Scope | Status | Access | Action |
|---|---|---|---|---|
| SOC 2 Type II (Security, Availability) | AiVRIC platform controls and operational processes | Roadmap | Under NDA (request via Trust Intake) | Request |
| ISO/IEC 27001 alignment | Information security management policies & control mapping | Program aligned | Summary available; mapping under NDA | Download |
| NIST CSF mapping | Security program coverage by CSF functions | Available | On request | Request |
| Penetration testing | Platform testing cadence and remediation lifecycle | Available | Executive summary under NDA | Request |
| Vulnerability management | Scanning, triage, remediation SLAs and evidence | Operational | Policy summary available | Download |
| Security questionnaire support | CAIQ, SIG Lite/Full, custom questionnaires | Supported | Trust Intake | Request |
Security Documents
These are common documents requested during due diligence. Some items are public summaries, while detailed reports are shared under NDA.
Policies & Program Summaries Public / Summary
Downloadable summaries of AiVRIC security controls, privacy posture, and operational processes suitable for procurement packets.
Privacy Policy Terms of Service
Third-Party Reports Under NDA
SOC 2 reports, penetration test summaries, and certain architectural artifacts are available under NDA to verified customers and prospects. Use the Trust Intake process to request access.
Architecture & Deployment On request
Documentation covering customer-hosted SaaS deployments (Kubernetes) and the Windows executable model, including hardening guidance, secure baselines, and recommended operational integrations (SIEM/SOAR, ticketing, CI/CD).
Data Processing & Privacy Addenda On request
Standard DPA materials, subprocessor list, and privacy impact guidance for customers with regulated data or specific residency constraints.
Privacy & Data Handling
AiVRIC is designed to minimize data exposure while delivering security, compliance, and AI assurance outcomes. Customer data is not used to train AiVRIC or third-party AI models by default and requires explicit, written opt-in.
Data Location
Customer-hosted SaaS runs in the customer’s cloud environment. The Windows executable supports local data storage. For any AiVRIC-managed services, data location and residency are specified in the order form or contractual exhibits.
Data Minimization
Collection is limited to the telemetry required for posture analysis, evidence outputs, and operational workflows. Customers control integrations and exports, and can exclude sensitive payloads where applicable.
Retention & Deletion
Retention is configurable to align with audit cycles and business requirements, and deletion workflows are available upon contract termination and per legal requirements. For AiVRIC Vision AI, prompts, chat context, and generated outputs are retained for up to 90 days by default (configurable) and are not used for model training unless explicitly opted in. For BYO-AI usage, customers supply their own provider keys and are responsible for their provider’s retention and privacy terms.
Availability & Reliability
We engineer for reliable operations and predictable recovery. For customer-hosted deployments, reliability depends on your infrastructure choices?our hardening guidance is designed to raise the floor.
| Category | Target | Notes |
|---|---|---|
| Service uptime (SaaS) | 99.9%+ | Measured monthly; exclusions documented in SLA |
| Backup & restore | Defined RPO/RTO | Varies by deployment model and customer configuration |
| Change management | Controlled releases | Planned maintenance windows and rollback practices |
| Support coverage | Standard / Premium | Premium options provide faster response and SLA commitments |
Subprocessors
We maintain a list of third parties that may process customer data on our behalf for specific functions. For customer-hosted deployments, subprocessors are minimized; customers typically manage their own cloud providers.
| Use / Service Type | Vendor(s) | Associated products | Purpose | Data types | Region |
|---|---|---|---|---|---|
| Non-managed deployments | None |
AiVRIC Windows
Customer-Hosted SaaS
|
No subprocessors process customer scan data | N/A | Customer-controlled |
| Cloud hosting provider | MS Azure Cloud |
AiVRIC DEFENSE SaaS
AiVRIC Vision AI *
|
Compute / storage for AiVRIC-managed services | Operational data; platform telemetry | US (or as contracted) |
| Email / support system | MS Entra ID, Outlook |
Customer-Hosted SaaS
AiVRIC DEFENSE SaaS
|
Customer communications and ticketing | Contact info; support artifacts | US / Global |
| Analytics (optional) | Google Analytics |
AiVRIC DEFENSE Free (marketing)
Website
|
Website usage insights | Web analytics metadata | Varies |
| Source code hosting | GitHub |
AiVRIC DEFENSE SaaS
AiVRIC Vision AI
AIVRIC OFFENSE
|
Version control and CI workflows | Source code; build metadata | US / Global |
Vulnerability Disclosure
We welcome responsible disclosure. If you believe you have found a security issue, report it through the channels below. Please do not include sensitive data in initial messages.
Report a vulnerability
Email our security team with reproduction details and impact. We will acknowledge receipt and coordinate remediation.
Safe harbor
Research conducted in good faith within scope and without customer data exfiltration is covered by our safe-harbor principles. Coordinate with us before public disclosure.
Coordinated disclosure
We aim to provide status updates, estimated timelines, and post-fix communication. Severity-based SLAs can be defined for enterprise customers.