Trust & Security

Built for the people who
have to sign off.

Procurement, security, and model-risk teams ask hard questions before anything reaches production. Here is the security, compliance, and AI-governance posture behind Veridect — stated plainly, with the detailed binder available under NDA.

Security posture

Six things a security team checks first.

Infrastructure

SOC 2 Type II hosting

Runs on SOC 2 Type II, SOC 3, and CSA STAR Type 2 certified infrastructure, with current-year attestations and bridge letters available under NDA.

Healthcare

HIPAA Business Associate

Operates as a HIPAA Business Associate under executed BAAs in production healthcare deployments — a real, binding HIPAA posture, not “HIPAA-ready” marketing language.

Data protection

Encrypted end to end

AES-256 encryption at rest, TLS 1.3 in transit, multi-factor authentication on administrative access, and quarterly penetration testing.

Privacy

Privacy & data rights

Documented COPPA and FERPA alignment, WCAG 2.1 AA conformance, Student Privacy Pledge 2020 signatory, and compliance with state privacy laws across CA, IL, NY, and CO.

Independent review

Fortune 100 vendor assessments

A multi-year track record of passing the annual vendor security risk assessments run by Fortune 100 customers’ own security teams — independent validation that meets or exceeds standard review bars.

Audit trail

Tamper-evident by design

Every answer and every agent action writes a SHA-256 hash-chained, replayable record built for model-governance review such as SR 11-7.

SOC 2 Type II, SOC 3, and CSA STAR attestation come from the certified hosting infrastructure Veridect runs on. The detailed compliance binder, BAA status, sub-processor list, and certification roadmap are available under NDA.

AI governance

Evidence your governance program runs on.

Veridect doesn’t just claim governance — it produces the artifacts an AI risk program needs. Each capability below maps to a recognized framework, as evidence, never as a certification.

NIST AI RMFConfidence decomposition, live benchmarks, hash-verified audit bundle
EU AI ActRisk-tiered action gating: low / medium / high / critical
Model cardsLive model card: four models, weights, intended use, known limits
AI red teamingAdversarial verifier mesh plus independent external red-team
Continuous monitoringProvider-health monitoring and circuit-breaker quarantine
Incident responseReplayable audit trail your IR process runs on
Governance boardAudit bundle as evidence for board-level review
Risk registerDecomposed, scored outputs a model-risk register draws on
Data handling

Your data, your boundary.

Veridect is cloud-agnostic and deploys behind a single REST endpoint on AWS, Azure, GCP, or on-premises — the control plane and audit layer run inside an environment you control, with provider routing and data-boundary terms configured per deployment.

Sub-processors

The four AI providers each maintain their own SOC 2 / ISO certifications, available as sub-processor evidence during diligence. The lineup is provider-agnostic and swappable.

Retention & deletion

Documented data flows, retention periods, right-to-be-forgotten, and inactivity deletion — detailed in the posture statement provided under NDA.

Procurement & diligence

Need the full documentation?

A mutual NDA opens the complete compliance posture statement, current infrastructure attestations, BAA status, and sub-processor detail — everything your security and legal teams need to clear deployment.

Contact us →