Procurement, security, and model-risk teams ask hard questions before anything reaches production. Here is the security, compliance, and AI-governance posture behind Veridect — stated plainly, with the detailed binder available under NDA.
Runs on SOC 2 Type II, SOC 3, and CSA STAR Type 2 certified infrastructure, with current-year attestations and bridge letters available under NDA.
Operates as a HIPAA Business Associate under executed BAAs in production healthcare deployments — a real, binding HIPAA posture, not “HIPAA-ready” marketing language.
AES-256 encryption at rest, TLS 1.3 in transit, multi-factor authentication on administrative access, and quarterly penetration testing.
Documented COPPA and FERPA alignment, WCAG 2.1 AA conformance, Student Privacy Pledge 2020 signatory, and compliance with state privacy laws across CA, IL, NY, and CO.
A multi-year track record of passing the annual vendor security risk assessments run by Fortune 100 customers’ own security teams — independent validation that meets or exceeds standard review bars.
Every answer and every agent action writes a SHA-256 hash-chained, replayable record built for model-governance review such as SR 11-7.
SOC 2 Type II, SOC 3, and CSA STAR attestation come from the certified hosting infrastructure Veridect runs on. The detailed compliance binder, BAA status, sub-processor list, and certification roadmap are available under NDA.
Veridect doesn’t just claim governance — it produces the artifacts an AI risk program needs. Each capability below maps to a recognized framework, as evidence, never as a certification.
Veridect is cloud-agnostic and deploys behind a single REST endpoint on AWS, Azure, GCP, or on-premises — the control plane and audit layer run inside an environment you control, with provider routing and data-boundary terms configured per deployment.
The four AI providers each maintain their own SOC 2 / ISO certifications, available as sub-processor evidence during diligence. The lineup is provider-agnostic and swappable.
Documented data flows, retention periods, right-to-be-forgotten, and inactivity deletion — detailed in the posture statement provided under NDA.
A mutual NDA opens the complete compliance posture statement, current infrastructure attestations, BAA status, and sub-processor detail — everything your security and legal teams need to clear deployment.
Contact us →