Trust · Security · Compliance

Security posture — the honest version.

Aurevat is early-stage software with enterprise-grade internals. We haven't completed a SOC 2 Type II or ISO 27001 audit yet — but we've engineered every subsystem to pass them the day we walk into the room. Below is exactly what's in place today, what our subprocessor list looks like, and the roadmap toward formal attestation.

Controls · Live in production

What's in place today.

These are the security controls actually implemented in the codebase and running in production right now — no theoretical roadmap items, no aspirational bullets. Ask your security team to verify any of them on a technical due-diligence call.

Encryption at rest

AES-256 for all tenant data, secrets, uploads and audit-log volumes.

Encryption in transit

TLS 1.3 across every HTTP surface — customer traffic, API, admin portal, LLM proxying.

Multi-Factor Auth

TOTP MFA is enforced for the admin portal. Optional MFA is available for tenant admin roles.

Least-privilege JWT

Signed JWTs carry only tenant_id + role. Tenant boundaries are enforced at every DB query.

WORM audit log

Every determination, override, and simulation is written to a Write-Once-Read-Many log. HMAC-SHA256 signed manifests.

Isolated LLM proxy

Claude Sonnet 4.5 runs in zero-retention mode. Tax data is never used to train any model.

Tenant isolation

Every document in MongoDB is namespaced by tenant_id. Cross-tenant reads are structurally impossible.

Backup & recovery

Daily MongoDB point-in-time backups with 30-day retention. Restore runbook rehearsed quarterly.

Data residency

EU customer data resides in Frankfurt. India customer data resides in Mumbai. Region-locked, never replicated cross-region.

Roadmap · Formal attestation

The path to SOC 2 Type II & ISO 27001.

We publish this timeline so you can see exactly where we are — and hold us to it. Every quarter, we'll update this page as items close. If a milestone slips, we'll say so here.

  1. Q2 2026
    SOC 2 Type I audit kicks off
    In progress
  2. Q3 2026
    SOC 2 Type I report published
    Planned
  3. Q4 2026
    ISO 27001 evidence pack ready
    Planned
  4. Q1 2027
    SOC 2 Type II observation period completes
    Planned
  5. Q2 2027
    External penetration-test report published
    Planned
Timing note: while we work toward Type II, we can share a live control map + engineering diligence pack with your security team under NDA. Reach security@aurevat.com.
Subprocessors · Every third-party

The complete third-party list.

Every service that touches customer data, with role, region and the DPA in force. If we add or remove a subprocessor, we'll update this list and notify Enterprise customers by email 30 days ahead of the change.

VendorRoleRegionDPA / Basis
MongoDB AtlasManaged database + backupFrankfurt (EU) · Mumbai (IN)MongoDB DPA + EU SCCs 2021/914
AnthropicLLM (Claude Sonnet 4.5) · zero-retentionUS (encrypted transit)Anthropic DPA · Zero-retention mode
ResendTransactional email deliveryUS · EUResend DPA + EU SCCs
StripePayments (non-INR) — cards, SEPA, iDEALUS · EU · INStripe DPA + EU SCCs
RazorpayPayments (INR) — UPI, NetBanking, CardsIndiaRazorpay DPA + India DPDP
CloudflareCDN, DDoS protection, WAF at edgeAnycast (global)Cloudflare DPA + EU SCCs

Talk to security directly.

For SIG Lite responses, penetration-test summaries, security architecture diagrams, or a CISO-level diligence call — reach security@aurevat.com. First response within one business hour, most artefacts available under NDA within 48 hours.