Built for the reviewer who has to say yes.
Everything here is what's true today, not what's coming. If a certification isn't finished, we say so and give you the target date instead of a marketing claim.
Pre-audit. No SOC 2 report yet. Our controls are built against the SOC 2 Common Criteria: access control, change management, audit logging, incident response. We're targeting a Type I report by the end of 2026, with Type II to follow twelve months later. In the meantime, the hub runs in your cloud, under your keys, and every action lands in your logs.
We complete them. Five business day turnaround target. Control documentation shared under NDA on request.
Standard DPA available on request, executed before kickoff. Names your model provider as the only sub-processor, states your cloud as the only place data resides, and covers deletion on termination.
One: the model provider on your contract. Anthropic Claude by default, OpenAI or Google on request. No other sub-processor touches your data. No training on customer data, enforced via provider enterprise terms.
The same deployment model described on the engagement page, restated for a security review.
The runtime is open source.
The hubzoid package is MIT-licensed, on PyPI, source on GitHub. It runs inside your perimeter, against your data. Your team can read every line of what executes, not take our word for it. The same package powers our engagements. What you audit is what ships.
View on GitHubHave a longer questionnaire?
Send it over. We aim to turn InfoSec questionnaires around in five business days, with control documentation under NDA.
Talk to us