01
Tenant Isolation
Every customer gets a tenant-isolated graph slice. Cross-tenant data flow is impossible by design — enforced at the row, query, and embedding-index level.
Security & Trust
Enterprise-grade by default. Audit-ready by design.
Procurement-grade compliance from day one. Tenant-isolated graph slices, row-level security, and an AI transparency model built for the EU AI Act — not bolted on later.
Compliance
The standards your procurement team wants to see.
A short list of acronyms doesn't fit on a wall. A coherent set of audits, certifications, and active regulatory readiness does.
SOC 2 Type 2In progress
Annual independent audit covering security, availability, processing integrity, confidentiality, and privacy.
ISO 27001In progress
Information security management system certification — the global standard for protecting customer data.
ISO 42001In progress
AI Management System standard — the first certification framework for responsible AI governance.
GDPRCompliant
EU data subject rights, DPA available, EU-region data residency, sub-processor disclosures.
CCPA / CPRACompliant
California privacy rights, opt-out endpoints, and a public privacy policy with retention schedules.
AWS Well-ArchitectedReviewed
Security, reliability, performance, cost, and operational excellence reviewed against the AWS framework.
EU AI Act Article 50Aug 2026 ready
AI output transparency mandate. Penalties up to 7% of global annual revenue. PYRAMYD's citation hierarchy and audit trails satisfy the requirement.
The EU AI Act Article 50 mandates AI output transparency by August 2026 — non-compliance penalties up to 7% of global annual revenue.
Architecture Controls
Built into the stack, not bolted on top.
Security is a layer of the platform, not a feature flag. Every read, write, and AI generation flows through the same set of controls.
02
Row-Level Security
Postgres RLS policies enforce per-user, per-role, and per-workspace access. Auth context flows through every read and every write.
03
Encryption in Transit & At Rest
TLS 1.3 in transit. AWS KMS-managed AES-256 at rest. Secrets in AWS Secrets Manager with rotation policies.
04
Audit Logging
Every read, every write, every AI generation. 90-day hot storage, 7-year cold storage. Customer-accessible audit feeds on Enterprise plans.
AI Governance
Every answer auditable. Every citation traceable.
The reason agentic AI projects get cancelled is grounding. PYRAMYD ships with the citation hierarchy that regulators want and the audit trail that customer security teams need.
Source URLs
Every cited claim links back to a real source — vendor changelog, press release, review, regulatory filing.
Provenance metadata
Retrieval timestamp, last re-verification date, source publication date — stored per signal.
Model + version stamps
Which model wrote the enrichment. Prompt version. Token count. Confidence score per field.
Verification states
verified · needs_review · disputed. Two-gate audit (completeness + content) before APEX can cite a row.
Hallucination guardrails
If the graph can't ground an answer, APEX says so — and links to the closest evidence. No fabricated citations.
Customer-controlled training
Customer data is never used to train shared models. Opt-in only for customer-isolated fine-tuning on Enterprise.
PYRAMYD is the trusted context layer that keeps them accurate, traceable, and enterprise-ready. Gartner predicts >40% of agentic AI projects cancelled by end of 2027 due to inadequate grounding.
Data Residency & Subprocessors
No surprises in the DPA.
A full subprocessor list, EU-region data residency on Enterprise, and a customer-accessible audit log on demand.
Hosting
AWS (us-east-1 + eu-west-1). Dedicated VPC. RDS Proxy for connection isolation. Customer-isolated graph slices on every plan.
Data Residency
EU-region data residency available on Enterprise plans. Sub-processor list and DPA published and versioned at the security policy URL.
Customer Audit
Enterprise customers get a real-time audit-log endpoint and quarterly third-party penetration test summaries.
Need to talk to security before we talk to procurement?
We'll walk your security team through the architecture, the audit posture, and the AI governance model — before anyone signs an NDA.