Security & compliance

Security isn't an add-on.

Every engagement ships with the same security defaults: enterprise AI tiers, least-privilege access, full observability, and signed agreements before work starts.

Certifications & standards

What we align with.

SOC 2 Type II

Aligned

Annual internal audit against SOC 2 trust criteria.

HIPAA

Ready

BAA signing, technical safeguards in place for healthcare clients.

GDPR

Compliant

EU data residency, DPAs, and right-to-deletion supported.

ISO 27001

In progress

Target certification Q4 2026.

Controls

What we actually do.

/ Data handling

Client data stays in your infrastructure

Where possible, systems deploy into your VPC, cloud account, or on-prem.

No data retention post-engagement

All working copies are destroyed at handoff. Verified by audit log.

Least-privilege access

Time-bounded credentials. All access logged and auditable.

Encryption in transit and at rest

TLS 1.3 minimum. AES-256 for data at rest. No exceptions.

/ AI model safety

Enterprise tier APIs only

OpenAI, Anthropic, Google enterprise contracts. Your data never trains their models.

Azure OpenAI + AWS Bedrock support

Deploy within your existing certified cloud environments.

On-prem Llama deployments

Full air-gap capability for sensitive workloads.

Prompt injection mitigations

Input sanitization, output filtering, and role separation built into every deployment.

PII redaction pipelines

Automated PII detection before any data reaches an LLM.

/ Compliance

SOC 2 Type II-aligned practices

Internal controls mirror SOC 2 trust criteria. Annual security review.

HIPAA-ready deployments

BAA signing for healthcare engagements. HIPAA-aligned infrastructure.

PCI-DSS capable

Experience with tokenized payment flows and card-data isolation.

GDPR + data residency

EU-only processing when required. Data residency contracts available.

NDAs standard

Mutual NDA signed before first working session.

/ Engineering practices

Code review required

Every change reviewed by a second engineer before merge.

Automated dependency scanning

Dependabot + Snyk on every repo. Critical CVEs patched within 48h.

Incident response within 1 hour

Production issues get a human within 60 minutes during business hours.

Versioned prompts + rollback

Every production prompt change is versioned and reversible.

Observability from day one

Logs, traces, cost, and error rate dashboards live at launch.

Security contact

Need a specific assurance?

For enterprise security reviews, DPIAs, or infosec questionnaires, write to our security team directly.

Security contact

security@theeazyware.com

PGP key available on request · Response within 24h

/ Next step

Need our security review questionnaire?

We have a pre-filled SIG Lite and CAIQ v4 ready to send. Just ask.

~4h

avg response

Q2 '26

next slot

100%

NDA on request

Book a call

Pick a 30-min slot · Cal.com

Email directly

hello@theeazyware.com

Send a brief

Get a written proposal · ~1 week