Skip to main content
PYRAMYD

Trust Center

Real status. Real artifacts. Real contacts.

Our internal audits are complete in Scrut.io, and we're awaiting the final third-party audit for SOC 2, ISO 27001, and ISO 42001. This page tells you exactly where each certification stands, lists every sub-processor that touches customer data, and gives your security team a direct line.

Direct contact: security@pyramyd.ai · Legal: legal@pyramyd.ai

Audit status

Where each certification stands.

No certification is issued yet. Our internal audits are complete in Scrut.io — each item below shows what's in place and what remains before the final third-party audit.

SOC 2 Type 2

Internal audit complete

Controls are implemented and continuously monitored in Scrut.io, and our internal audit is complete. We are awaiting the final independent third-party audit that issues the SOC 2 report. Current status is available under NDA through our Trust Center.

ISO 27001

Internal audit complete

Our ISMS is implemented and evidenced in Scrut.io, and the internal audit is complete. We are awaiting the Stage 2 certification audit by an accredited third-party body.

ISO 42001 (AI Management)

Internal audit complete

Our AI management system controls are implemented and tracked in Scrut.io, and the internal audit is complete. We are awaiting the independent third-party certification audit.

GDPR readiness

Internal audit complete

GDPR controls are implemented and monitored in Scrut.io, and our internal readiness audit is complete. They are evidenced within the SOC 2 and ISO 27001 third-party audits now underway. DPA and EU data residency are available on the Enterprise tier today.

CCPA / CPRA readiness

Internal audit complete

Privacy notices, retention schedules, and opt-out (Do Not Sell or Share) controls are implemented and monitored in Scrut.io, and our internal readiness audit is complete — evidenced within the third-party audits now underway.

EU AI Act Article 50

Aug 2026 ready

Citation hierarchy and audit trails already satisfy the transparency mandate; the controls are tracked in Scrut.io with our internal audit complete. Customer-facing disclosures ship July 2026.

Sub-processors

Who touches your data, and why.

Updated monthly. Every sub-processor has a signed DPA with PYRAMYD. We'll notify you in writing 30 days before adding a new one.

Sub-processorRegionPurpose
Microsoft AzureUS (Central US)Cloud hosting — compute, PostgreSQL, storage, Key Vault
VercelGlobal (Edge)Application + marketing hosting and edge CDN
Okta (Auth0)USAuthentication and identity
OpenAI / Azure OpenAIUSLLM inference for AI features
AnthropicUSLLM inference (Claude family) for AI features
CloudflareUSDNS, CDN, and web application firewall
StripeUS / globalPayments and subscription billing
SentryUSApplication error tracking (PII-scrubbed)
GitHubUSSource-code management and CI
Google WorkspaceUSInternal email and document collaboration
HubSpotUSMarketing, CRM, and email
IntercomUSIn-product messaging and support
Apollo.ioUSSales intelligence

Artifacts on request

The documents your security team needs.

Available under NDA via direct request. Most responses turn around within one business day.

Security questionnaire (public)

Pre-filled answers to the standard 200-question security questionnaire (CAIQ-Lite + SIG-Lite alignment).

Penetration test summary

Most recent third-party penetration test report summary, redacted for distribution under NDA.

DPA + sub-processor list

Data Processing Agreement and complete sub-processor list (refreshed monthly).

Incident response plan

Incident classification, communication timeline, customer notification SLAs, and historical incident log.

Incident response

How we'd handle an incident.

  • Hour 0: security@pyramyd.ai is paged via PagerDuty. On-call commander assigned.
  • Hour 1: Severity classified (P0·P3). Affected customers identified from audit logs.
  • Hour 4: Initial customer notification for P0/P1 with what we know and what we don't.
  • Day 1·3: Containment, eradication, recovery. Daily customer updates.
  • Day 14: Post-incident report shared with affected customers, including root cause and preventive controls.

Detailed incident response plan available under NDA at security@pyramyd.ai.

Your security team has questions. We have answers ready.

Pre-filled CAIQ-Lite + SIG-Lite. DPA in two days. We're responsive because we've been on the other side of this conversation.