Security

Security we can show our work on.

How we secure engagements, and what we honestly hold versus what we follow but don't hold. We'd rather under-claim a certification than burn the trust we were hired for. Report a security issue to security@paiteq.com.

Posture SOC-2-ready practices
Security contact security@paiteq.com
Data role Processor (client is controller)
Last updated 30 May 2026

Last updated: · General: info@paiteq.com · Security: security@paiteq.com

001 / COMPLIANCE POSTURE

What we hold, and what we follow but don't hold.

The honest core of this page. We ship HIPAA-ready and GDPR-ready patterns, and we follow SOC-2-ready practices, but "ready" is not "certified". We are not ourselves SOC 2 Type II or ISO 27001 certified as a vendor; if your procurement requires a vendor SOC 2 report, flag it early and we'll route accordingly.

002 / APPLICATION SECURITY

The build pipeline is the security boundary.

Security for an AI system is mostly upstream of the model: how code ships, how prompts get reviewed, where secrets live, and who can reach what. We treat the SDLC as the place to enforce it.

003 / DATA HANDLING IN ENGAGEMENTS

Your data stays in your perimeter.

In most engagements Paiteq is the data processor and the client is the controller. We deploy into your boundary rather than pulling your data into ours, and your data is never used to train models.

004 / SUB-PROCESSORS + MODEL POSTURE

Model providers are sub-processors. Named, settings-locked.

Model and LLM providers (Anthropic, OpenAI, and others) act as sub-processors. They are named in the engagement architecture doc, and for regulated work we run them under provider data-retention and no-training settings.

SUB-PROCESSOR + LOGGING POSTURE
Model / LLM providers
Anthropic, OpenAI, and others are sub-processors, named in the engagement architecture doc.
Provider settings for regulated work
Provider data-retention and no-training settings are enabled for regulated workloads.
Vector stores
Partitioned per tenant, no cross-tenant retrieval surface.
Observability / logs
PII redacted at the logging layer before traces are written.
005 / VULNERABILITY DISCLOSURE

Found something? Tell us.

We welcome good-faith security research. If you believe you've found a vulnerability in a Paiteq property or an engagement we operate, report it and we'll acknowledge and triage.

  • Email security@paiteq.com with steps to reproduce. PGP available on request.
  • Act in good faith: don't access or modify data that isn't yours, and don't degrade service for others.
  • We acknowledge receipt and triage. We'll keep you updated through remediation and credit researchers who want it.
  • We don't run a paid bounty programme, but we take reports seriously and respond.
006 / Procurement questions?

Talk to engineering.

Security and procurement gates are easier to clear when an engineer answers them. Flag vendor SOC 2 needs early and we'll route accordingly.