Security & Compliance
PrivateAI is ISO/IEC 27001 and ISO/IEC 27701 certified. We operate an evidence-driven security and privacy program designed for enterprise and regulated customers, with clear controls, documented processes, and audit-ready records.
For urgent issues, include “URGENT” in the email subject.
Security at a glance
- ✓ Access control (least privilege, MFA, access reviews)
- ✓ Encryption in transit and at rest
- ✓ Logging & monitoring with alerting
- ✓ Vulnerability management & patching process
- ✓ Backups & recovery controls
- ✓ Incident response & breach handling process
Compliance & Framework Coverage
| Standard / Framework | Status | What it means | Evidence |
|---|---|---|---|
| ISO/IEC 27001 | Certified | Information Security Management System (ISMS) | Certificate available under NDA on request |
| ISO/IEC 27701 | Certified | Privacy Information Management System (PIMS) | Certificate available under NDA on request |
| GDPR (EU) | Aligned | GDPR controls supported by ISMS/PIMS + operational registers | Evidence pack available under NDA on request |
| PDPA (Singapore) | Aligned | PDPA baseline controls supported by ISMS/PIMS | Evidence pack available under NDA on request |
| HIPAA (US) | Readiness (customer-driven) | HIPAA-aligned safeguards supported for healthcare scopes; scope confirmed per engagement | Readiness summary on request (not a certification) |
| MAS TRM (Singapore) | Customer-driven alignment | Implemented where required by financial-sector customer scope | Approach summary on request |
| ISO/IEC 23894 | Aligned | AI risk management practices applied to AI/LLM workflows | Approach summary on request |
| ISO/IEC 42001 | Roadmap | Evaluation planned; timeline driven by customer demand | Roadmap summary on request |
| NIST CSF | Mapped | Security controls mapped to NIST CSF functions | Mapping summary on request |
| CIS Benchmarks | Aligned | Hardening guidance used where applicable | Summary on request |
| SOC 2 (TSC) | Controls mapped / readiness | Controls mapped to SOC 2 Trust Services Criteria; no SOC report is claimed unless explicitly stated | Mapping summary on request (not a SOC report) |
AI & Data Protection
Our AI/LLM processing is governed by privacy-by-design: data minimisation, access control, logging/retention controls, and vendor risk review. We do not publish “zero retention”, “no training”, “EU-only”, or similar claims unless contractually evidenced for the specific service.
Subprocessors & data locations
Subprocessor information and data-hosting locations are available on request via compliance@useprivate.ai.
Contact
Compliance: compliance@useprivate.ai
(questionnaires, evidence packs, DPAs)
Security: security@useprivate.ai
(vulnerability reports, incidents)
Last updated: December 2025