Built to earn IT, CIO & CISO sign-off

Security & trust at tacitrun.

Tacitrun turns your processes into governed AI co-pilots — with tenant isolation, encryption, an immutable audit trail, IT approval, and human-in-the-loop controls built in. This page maps our application controls to ISO/IEC 27001 and the SOC 2 Trust Services Criteria, and states our certification status honestly.

Certification status

SOC 2 Type II
In progress
Controls implemented; continuous monitoring + audit window to follow.
ISO/IEC 27001
Planned
Control set largely in place; Stage 1/2 audit to be scheduled.
ISO/IEC 42001 (AI)
Exploratory
Strong fit for our guardrail / HITL / audit posture.
GDPR / UK GDPR
DPA available
SCCs on request; data export + delete shipped.

We don't claim a certificate we don't yet hold. Request the security pack below for our current timeline and evidence.

Controls

Shipped live today · Preview wired, activates on credentials · Roadmap planned.

Identity & access

  • RBAC (owner / editor / viewer) enforced on every writeShipped
  • Per-tenant IP allowlistShipped
  • Max session lifetime (forced re-auth)Shipped
  • Enterprise SSO (SAML/OIDC — Okta, Entra, Google)Preview
  • SCIM provisioning · MFA via IdPPreview

Data protection

  • Tenant isolation — database-enforced row-level security (RLS)Shipped
  • Per-query tenant scoping (defense in depth)Shipped
  • Encryption in transit (TLS 1.2+) & at restShipped
  • Encrypted credential vault (pgcrypto + KEK)Shipped
  • PII redaction at trace / log / corpus boundaryShipped
  • Configurable retention + purge · export · deleteShipped
  • Customer-managed keys (CMEK) · data residencyRoadmap

Auditability & monitoring

  • Immutable, append-only audit logShipped
  • Audit-log export (CSV / JSON)Shipped
  • OTel-style traces · per-call cost/latencyShipped
  • Error monitoring · deployment healthShipped
  • SIEM streaming (Splunk / Sentinel)Roadmap

Governance & AI risk

  • IT approval workflow + risk scoringShipped
  • Auto-approval policies (CISO defaults)Shipped
  • Output guardrails (deny-list + classifier)Shipped
  • Human-in-the-loop until shadow agreementShipped
  • Kill switch (per-deployment + tenant-wide)Shipped

Application security

  • Upload MIME + magic-number + size capsShipped
  • Prompt-injection mitigation · SSRF hardeningShipped
  • Rate limiting + connector circuit breakersShipped
  • Webhook HMAC verification · idempotencyShipped
  • SHA-tied, reproducible deploys (change mgmt)Shipped

Availability & resilience

  • Managed Postgres backups / PITRShipped
  • Warm instances (no cold-start gaps)Shipped
  • Documented RTO/RPO + restore drillRoadmap
  • Multi-region failoverRoadmap

Request our security pack

For your vendor review we can share the security whitepaper, SOC 2 / ISO timeline, DPA, sub-processor list, and a pen-test summary. Tell us what you need and where to send it.

or email security@kiwana.ai