SOC 2 Type 2
In progressObservation period started Q1 2026. Type 1 attestation expected Q3 2026, Type 2 by Q1 2027.
Trust Center
Real status. Real artifacts. Real contacts.
We're pre-attestation on SOC 2, ISO 27001, and ISO 42001. This page tells you exactly where each certification is, lists every sub-processor that touches customer data, and gives your security team a direct line.
Direct contact: security@pyramyd.ai · Legal: legal@pyramyd.ai
Audit status
Where each certification stands.
No certification is currently issued. Status, scope, and target dates are listed below in plain English.
ISO 27001
In progressISMS scoped Q1 2026. Internal audit Q3 2026. Stage 2 audit targeted Q4 2026.
ISO 42001 (AI Management)
In progressGap assessment complete. Controls implementation underway alongside ISO 27001.
GDPR readiness
In progressDPA template available on request. EU data residency available on the Enterprise tier today.
CCPA / CPRA readiness
In progressPrivacy policy + retention schedules published. Opt-out endpoints in flight.
EU AI Act Article 50
Aug 2026 readyCitation hierarchy and audit trails already satisfy the transparency mandate. Customer-facing disclosures shipping July 2026.
Sub-processors
Who touches your data, and why.
Updated monthly. Every sub-processor has a signed DPA with PYRAMYD. We'll notify you in writing 30 days before adding a new one.
| Sub-processor | Region | Purpose |
|---|---|---|
| Amazon Web Services (AWS) | us-east-1, eu-west-1 | Cloud hosting, RDS, RDS Proxy, S3, ECS |
| Anthropic | us-east-1 | APEX copilot LLM inference (Claude family) |
| Google Cloud (Gemini) | us-central1 | Embeddings (gemini-embedding-2) and supplemental inference |
| OpenAI | us-east-1 | Supplemental LLM inference for select agent workflows |
| Vercel | Global (Edge) | Marketing site hosting |
| Stripe | Global | Subscription billing and payments |
| HubSpot | us-east-1 | CRM, marketing automation, and form submission storage |
Artifacts on request
The documents your security team needs.
Available under NDA via direct request. Most responses turn around within one business day.
Security questionnaire (public)
Pre-filled answers to the standard 200-question security questionnaire (CAIQ-Lite + SIG-Lite alignment).
Request the questionnairePenetration test summary
Most recent third-party penetration test report summary, redacted for distribution under NDA.
Request the latest summaryDPA + sub-processor list
Data Processing Agreement and complete sub-processor list (refreshed monthly).
Request the DPAIncident response plan
Incident classification, communication timeline, customer notification SLAs, and historical incident log.
Request the IR planIncident response
How we'd handle an incident.
- Hour 0: security@pyramyd.ai is paged via PagerDuty. On-call commander assigned.
- Hour 1: Severity classified (P0–P3). Affected customers identified from audit logs.
- Hour 4: Initial customer notification for P0/P1 with what we know and what we don't.
- Day 1–3: Containment, eradication, recovery. Daily customer updates.
- Day 14: Post-incident report shared with affected customers, including root cause and preventive controls.
Detailed incident response plan available under NDA at security@pyramyd.ai.
Your security team has questions. We have answers ready.
Pre-filled CAIQ-Lite + SIG-Lite. DPA in two days. We're responsive because we've been on the other side of this conversation.