What your security team needs to know before the first call.
Attestum is a pre-seed company, and we are building the compliance and security posture that enterprise buyers require before it becomes blocking. This page is updated honestly — it reflects what is in place today, what is in progress, and what is on the roadmap.
Last reviewed: 2026-04-20.
Where we are on the compliance roadmap.
| Framework | Status | Target |
|---|---|---|
| SOC 2 Type I | In progress | Fieldwork starting Q3 2026. |
| SOC 2 Type II | Planned | Q1 2027, after 3+ months of controls operating. |
| EU AI Act Annex III control library | Drafting | Published as a separate open-source repo in Q3 2026. |
| ISO 27001 | On request | Not yet scheduled. Accelerated for a design partner with a requirement. |
| HIPAA BAA | On request | Available for healthcare design partners. |
What we see, what we keep, and for how long.
Tenant isolation
Customer data is isolated per tenant at the storage layer. There is no shared cache, no shared computation, no cross-tenant analytics. We do not train any model on customer data. Ever.
Encryption
TLS 1.2+ in transit. AES-256 at rest. Key management via platform-provider KMS (AWS KMS today; customer-managed keys on the Enterprise tier).
Retention
Raw agent traces are retained for 30 days on the Starter tier, up to 7 years on the Enterprise tier. Design-partner pilot data is deleted 90 days after pilot end. Partners can request deletion at any time; deletion is confirmed within 5 business days.
Aggregate metrics
We retain anonymized aggregate metrics — rollback counts, SLA pass rates, control coverage — indefinitely for product and actuarial research. No raw trace content ever leaves the tenant boundary in identifiable form.
How we run the service.
All production access requires hardware 2FA and scoped credentials. No shared accounts. Access is logged, reviewed monthly, and revoked on role change.
Confirmed breaches affecting customer data are disclosed within 24 hours. Post-incident reports are delivered within 5 business days with root-cause analysis and remediation commitments.
Third-party subprocessors are disclosed in every pilot agreement. Adding a subprocessor requires 15 days' written notice to the customer.
Responsible disclosure program at [email protected]. We acknowledge within 24 hours and fix critical issues within 14 days.
Enterprise customers can deploy Attestum inside their own VPC. Data never leaves the customer environment; Attestum's management plane provides only aggregate health metrics.
During a pilot, customers may request one security review at no charge, including a review of access logs, key management, tenant-isolation controls, and the audit-trail immutability proof.
We answer every vendor questionnaire.
We will complete your standard security questionnaire (SIG, CAIQ, SOC 2 pre-report, custom spreadsheet) as part of a pilot-scoping conversation. Turnaround is typically 3–5 business days.
To request the current security whitepaper, a SOC 2 readiness letter, or subprocessor list, email [email protected]. We respond within one business day.