Pratvi AI
Trust Center

Built to protect the most regulated data on earth.

Pratvi AI is itself a tool for governing AI in regulated industries. The security and privacy of our own platform is non-negotiable. Below are the controls, our roadmap, and our commitments — stated honestly, including what is targeted vs. what is in place today.

Core Controls

Security architecture

Encryption at rest

Application-layer field encryption with AES-256-GCM. Database-layer AES-256 on top. Data is double-encrypted before persistence.

Encryption in transit

TLS 1.3 enforced on all external connections. HSTS preloaded. Automated certificate management at the edge. No plaintext anywhere on the wire.

Key management

Encryption keys stored in an HSM-backed secrets vault. Per-tenant key namespaces. Customer-managed keys (BYOK) on the enterprise roadmap.

Tenant isolation

Row-level security enforced in Postgres. Tenant ID propagated through every query. No shared compute pools. Independently penetration-tested.

Tamper-evident audit

Every access and decision is hash-chained with SHA-256. Tampering breaks the chain. Satisfies 21 CFR Part 11, SR 11-7 retention, and HIPAA §164.312(b).

Continuous monitoring

Application error tracking, structured log aggregation, and edge telemetry across the stack. Alerts on access anomalies and chain-integrity violations.

Sub-processor governance

Every sub-processor has a signed BAA/DPA/SPA. Annual SOC 2 review of vendors. Full disclosure list at /legal/subprocessors.

Backup & recovery

Managed-Postgres point-in-time recovery enabled. Cross-region replication. Disaster recovery plan documented and tested quarterly.

Incident response

Documented incident response plan. Breach notification within 72 hours (GDPR Article 33), 60 calendar days (HIPAA), 30 days (FTC Safeguards Notification Event).

Certifications

What we have, and what we're targeting

We are pre-launch. Anything stated as "certified" or "audited" below is a future target, not a current claim.

SOC 2 Type II

Targeting Q4 2027 (post-GA + 12 months)

Controls implemented; audit not yet performed. Full readiness plan documented.

HITRUST CSF r2

Targeting 2028 (post-GA + 24 months)

Healthcare-focused; will be pursued after sufficient health-vertical customer base.

ISO 27001

Targeting 2028 (post-GA + 18 months)

Controls baselined; certification path under review.

ISO/IEC 42001

Controls aligned

AI management system controls implemented; external audit not yet pursued.

FedRAMP

On 2027+ roadmap

Will be pursued in alignment with first federal customer. StateRAMP first.

Reporting a vulnerability

If you believe you have found a security issue affecting Pratvi AI, please email security@pratvi.ai. We respond within 48 hours and will work with you in good faith under coordinated disclosure principles. A formal bug-bounty program is planned post-GA.

Need a deeper security review?

We provide architecture briefings, sub-processor questionnaires, and pen-test summary letters under NDA for evaluating customers.

Request security review