Built to earn IT, CIO & CISO sign-off
Security & trust at tacitrun.
Tacitrun turns your processes into governed AI co-pilots — with tenant isolation, encryption, an immutable audit trail, IT approval, and human-in-the-loop controls built in. This page maps our application controls to ISO/IEC 27001 and the SOC 2 Trust Services Criteria, and states our certification status honestly.
Certification status
SOC 2 Type II
In progress
Controls implemented; continuous monitoring + audit window to follow.
ISO/IEC 27001
Planned
Control set largely in place; Stage 1/2 audit to be scheduled.
ISO/IEC 42001 (AI)
Exploratory
Strong fit for our guardrail / HITL / audit posture.
GDPR / UK GDPR
DPA available
SCCs on request; data export + delete shipped.
We don't claim a certificate we don't yet hold. Request the security pack below for our current timeline and evidence.
Controls
Shipped live today · Preview wired, activates on credentials · Roadmap planned.
Identity & access
- RBAC (owner / editor / viewer) enforced on every writeShipped
- Per-tenant IP allowlistShipped
- Max session lifetime (forced re-auth)Shipped
- Enterprise SSO (SAML/OIDC — Okta, Entra, Google)Preview
- SCIM provisioning · MFA via IdPPreview
Data protection
- Tenant isolation — database-enforced row-level security (RLS)Shipped
- Per-query tenant scoping (defense in depth)Shipped
- Encryption in transit (TLS 1.2+) & at restShipped
- Encrypted credential vault (pgcrypto + KEK)Shipped
- PII redaction at trace / log / corpus boundaryShipped
- Configurable retention + purge · export · deleteShipped
- Customer-managed keys (CMEK) · data residencyRoadmap
Auditability & monitoring
- Immutable, append-only audit logShipped
- Audit-log export (CSV / JSON)Shipped
- OTel-style traces · per-call cost/latencyShipped
- Error monitoring · deployment healthShipped
- SIEM streaming (Splunk / Sentinel)Roadmap
Governance & AI risk
- IT approval workflow + risk scoringShipped
- Auto-approval policies (CISO defaults)Shipped
- Output guardrails (deny-list + classifier)Shipped
- Human-in-the-loop until shadow agreementShipped
- Kill switch (per-deployment + tenant-wide)Shipped
Application security
- Upload MIME + magic-number + size capsShipped
- Prompt-injection mitigation · SSRF hardeningShipped
- Rate limiting + connector circuit breakersShipped
- Webhook HMAC verification · idempotencyShipped
- SHA-tied, reproducible deploys (change mgmt)Shipped
Availability & resilience
- Managed Postgres backups / PITRShipped
- Warm instances (no cold-start gaps)Shipped
- Documented RTO/RPO + restore drillRoadmap
- Multi-region failoverRoadmap
Request our security pack
For your vendor review we can share the security whitepaper, SOC 2 / ISO timeline, DPA, sub-processor list, and a pen-test summary. Tell us what you need and where to send it.
or email security@kiwana.ai