For US companies/Trust pack

Trust pack · Security

Security posture

How we secure AI delivery engagements. Reviewed quarterly internally; annual external penetration test on production workloads. Last reviewed: 2026-05-20.

Quick facts (for procurement)

Entity (sales)
AI-Native Agency LLC (Delaware) or SAS (France)
Insurance
$2M PI + $1M cyber via Lloyd's-backed carrier
NDA turnaround
24 hours from request
SOW turnaround
5 business days from Discovery call
Net terms
Net-30 standard, Net-15 on request
Data residency
US-region storage available; default EU
Sub-processors
Disclosed at /subprocessors; 30-day change notice
DPA
GDPR + CCPA, SCCs included
AI security architecture showing client systems, encrypted model access, reviewer approvals, audit logs, and KPI dashboards
Default engagement architecture: client-controlled systems, encrypted model access, reviewer approvals, and queryable audit logs.

Controls

The controls below are the default posture for every engagement. Client-specific requirements (e.g., FedRAMP-aligned, HIPAA workflow with BAA, FINRA-supervised workload) are layered on top during Discovery.

Identity & access

Per-engagement IAM in your cloud account (we do not host your production data). MFA enforced on every engineer account. SSO via your IdP where supported. Just-in-time access elevation with auto-expiry and per-request audit.

Endpoint

Full-disk encryption (FileVault / BitLocker) on every engineer endpoint. Auto-lock under 5 minutes. MDM-enforced patch level. No client data permitted on local disks outside encrypted, time-bounded engagement folders.

Code & secrets

All client integration code lives in your repository under your IAM. Secrets are managed via your existing secret manager (AWS Secrets Manager, GCP Secret Manager, Doppler, Vault) — never committed, never in `.env` files committed to Git.

Network

All inference and retrieval calls travel over TLS 1.3. No client traffic crosses the public internet without encryption. Provider APIs are accessed through region-pinned endpoints when supported.

Audit logging

Every inference call, retrieval bundle, reviewer decision, and downstream action is logged with model version + prompt fingerprint + signer identity. Retention follows the client policy captured during Discovery (minimum 12 months).

Incident response

Defined incident severity ladder (S1–S4). S1 incidents trigger client notification within 24 hours, root-cause analysis within 5 business days, written remediation within 10 business days.

Data egress

No bulk client data leaves your cloud account during engagement. Discovery artefacts (workflow maps, labelled test set, evaluation reports) are exchanged via your sanctioned channel — never email attachments.

Background checks

Every engineer touching client systems passes a background check and signs a confidentiality agreement before access provisioning.

Certifications & compliance posture

  • GDPR-compliant (EU operations, formal Article 30 processing record maintained).
  • CCPA / CPRA-compliant DPA on offer for California-touching workflows.
  • SOC 2 Type II in progress — target audit date 2027 Q1.
  • ISO 27001 readiness assessment completed; certification track in 2027.

Review cadence

Quarterly internal review; annual external penetration test on production workloads.Material changes to this posture are notified to engaged clients in writing at least 30 days in advance, with right to terminate the engagement if the change materially degrades the client's risk profile.

Procurement contact

Need this in a different format?

We can fill out your security questionnaire (SIG, CAIQ, custom), share insurance certificates, run through procurement legal calls, or sign your standard MSA. Reach out via the discovery call and we'll route you to the right docs.

Book a procurement-friendly callRequest the full pack