Report an issue Start your security review

Compliance roadmap

What is attested today, what is in progress, and what is planned. Every "attested" item carries a link to evidence and a last-verified date. Trust shouldn't be an annual claim.

Last verified 5/1/2026, 4:28:17 PM · commit c6eee3e

Secure SDLC

Secure SDLC

Documented secure release process

Branch flow alpha → beta → main; release security gate (grype lockfile scans on 9 targets) before every tag.

Last verified 2026-05-01Evidence

Attested

Secure SDLC

Pre-commit lint + typecheck

Last verified 2026-05-01Evidence

Attested

Dependency Management

Dependency Management

Daily automated vulnerability scanning

grype + pip-audit + cargo-audit + bun pm audit, daily 09:00 UTC, plus continuous Aikido on every lockfile push.

Last verified 2026-05-01Evidence

Attested

Dependency Management

CycloneDX SBOM generation per release

2,672 components tracked across npm/pypi/cargo with NTIA enrichment.

Last verified 2026-05-01Evidence

Attested

Disclosure

Disclosure

Published responsible disclosure policy

48h ack SLA, 7-day assessment, 30-day critical fix target.

Last verified 2026-05-01Evidence

Attested

SOC 2

SOC 2Type I

SOC 2 Type I

Audit in progress. Type I attestation expected end of May 2026.

Target 2026-05-31

In progress

SOC 2Type II

SOC 2 Type II

Scheduled after Type I attestation and observation period (typically 6–12 months).

Target TBD

Planned

ISO 27001

ISO 27001

ISO 27001 certification

Target TBD

Planned

Privacy

Privacy

Data Processing Agreement (DPA)

Standard DPA available under NDA on request.

Planned

Privacy

Subprocessor list

Studio runs locally; LLM provider is customer-selected and -contracted.

Planned

Privacy

GDPR alignment

Local-first execution model minimises personal-data flow to PeerAI. Formal DPIA scheduled after SOC 2 Type I closes.

Planned