Aurevat is early-stage software with enterprise-grade internals. We haven't completed a SOC 2 Type II or ISO 27001 audit yet — but we've engineered every subsystem to pass them the day we walk into the room. Below is exactly what's in place today, what our subprocessor list looks like, and the roadmap toward formal attestation.
These are the security controls actually implemented in the codebase and running in production right now — no theoretical roadmap items, no aspirational bullets. Ask your security team to verify any of them on a technical due-diligence call.
AES-256 for all tenant data, secrets, uploads and audit-log volumes.
TLS 1.3 across every HTTP surface — customer traffic, API, admin portal, LLM proxying.
TOTP MFA is enforced for the admin portal. Optional MFA is available for tenant admin roles.
Signed JWTs carry only tenant_id + role. Tenant boundaries are enforced at every DB query.
Every determination, override, and simulation is written to a Write-Once-Read-Many log. HMAC-SHA256 signed manifests.
Claude Sonnet 4.5 runs in zero-retention mode. Tax data is never used to train any model.
Every document in MongoDB is namespaced by tenant_id. Cross-tenant reads are structurally impossible.
Daily MongoDB point-in-time backups with 30-day retention. Restore runbook rehearsed quarterly.
EU customer data resides in Frankfurt. India customer data resides in Mumbai. Region-locked, never replicated cross-region.
We publish this timeline so you can see exactly where we are — and hold us to it. Every quarter, we'll update this page as items close. If a milestone slips, we'll say so here.
Every service that touches customer data, with role, region and the DPA in force. If we add or remove a subprocessor, we'll update this list and notify Enterprise customers by email 30 days ahead of the change.
| Vendor | Role | Region | DPA / Basis |
|---|---|---|---|
| MongoDB Atlas | Managed database + backup | Frankfurt (EU) · Mumbai (IN) | MongoDB DPA + EU SCCs 2021/914 |
| Anthropic | LLM (Claude Sonnet 4.5) · zero-retention | US (encrypted transit) | Anthropic DPA · Zero-retention mode |
| Resend | Transactional email delivery | US · EU | Resend DPA + EU SCCs |
| Stripe | Payments (non-INR) — cards, SEPA, iDEAL | US · EU · IN | Stripe DPA + EU SCCs |
| Razorpay | Payments (INR) — UPI, NetBanking, Cards | India | Razorpay DPA + India DPDP |
| Cloudflare | CDN, DDoS protection, WAF at edge | Anycast (global) | Cloudflare DPA + EU SCCs |
For SIG Lite responses, penetration-test summaries, security architecture diagrams, or a CISO-level diligence call — reach security@aurevat.com. First response within one business hour, most artefacts available under NDA within 48 hours.