SOC 2
Type I obtained · Type II audit underway
Type I report available under mutual NDA. We use Vanta for continuous controls monitoring; most recent pen-test report available on request.
// trust
What your procurement, legal, and security teams will need.
We've moved through dozens of enterprise procurement gates. The artifacts below cover ~90% of what gets asked. The rest is on the discovery call.
Data handling
Deploy in your cloud · we never hold production data
Engagement code deploys to your AWS / GCP / Azure tenancy. Trace logs persist in your observability stack. We have read access only during the engagement window, scoped via your IAM, revoked on completion.
DPA & sub-processors
GDPR / CCPA compliant · pre-vetted DPA template
Mutual DPA template aligned with GDPR Art. 28 and CCPA. Sub-processor list is short and explicit — Anthropic, OpenAI, your cloud provider, and (if applicable) your vector store. We don't take on new sub-processors mid-engagement.
HIPAA
BAA-ready engagement structure
We've delivered engagements for HIPAA-regulated surfaces. BAA template available. PHI never leaves your tenancy; we work against synthetic data + de-identified test sets during build.
Incident response
24h disclosure SLO · joint runbook
If a Lorematics-deployed system causes an incident, we commit to 24h disclosure and a joint runbook. Your incident channel is added to our on-call rotation for the engagement window plus 30 days post-launch.
IP & confidentiality
You own work product · we retain patterns
All engagement work product (code, docs, policies) is assigned to you on delivery. We retain rights only to anonymized patterns and policy primitives that surface in our open-source releases.
Documents we send on request.
Most of these gate on a mutual NDA. Ask via the intake agent or email info@lorematics.com; we typically turn requests around in under 48h during the engagement window.
- SOC 2 Type I reportavailable under mutual NDA
- Most recent pen-test reportavailable on request
- DPA templateavailable on request
- BAA templateavailable on request
- Sub-processor list (current)available on request
// commitments in plain language
- We never train on your data. No model fine-tuning, no embeddings retained, no eval set populated.
- We deploy to your cloud tenancy. Production data does not leave your perimeter. Our access is read-scoped, time-bound, and revoked on engagement completion.
- Engineers on your engagement are on a private Slack with your team. No subcontractors, no offshore handoffs, no rotating consultants.
- Sub-processor changes require 30 days notice and your written consent. The list is short and explicit.
// security inquiries
Talk to engineering directly.
We don't route security questions through sales.