Compliance & Security

/ 01 Posture summary

At a glance

Every compliance and security commitment LouDNAi makes, with current status. Everything in this table is reflected truthfully in customer-facing materials.

Commitment	Status	Detail
NVIDIA Inception Program	Ready	Member of the NVIDIA Inception program — vetted by NVIDIA's program for AI startups. See §02.
SOC 2 Type 1	In progress	Audit underway with target completion in Q3 2026. Trust Services Criteria: Security, Availability, Confidentiality. See §03.
SOC 2 Type 2	Scoped Q1 2027	Six-month observation window begins after Type 1 issuance. See §03.
HIPAA-ready architecture	Ready	Infrastructure supports HIPAA-compliant deployments under a Business Associate Agreement. Not a HIPAA certification — no such certification exists. See §04.
Business Associate Agreement (BAA)	On request	Available to any customer processing PHI. Typical execution: 7–14 days. See §05.
Data Processing Agreement (DPA)	On request	GDPR-grade default. Signed prior to any production data transfer. See §07.
Encryption — at rest	Ready	AES-256 encryption on all customer data at rest. See §06.
Encryption — in transit	Ready	TLS 1.3 for all customer-facing endpoints. See §06.
Per-tenant data isolation	Ready	Logical tenant isolation. No shared embeddings, fine-tunes, or retrieval indices across customers. See §06.
Sub-processor disclosure	Ready	Full list maintained in §08. Customers receive 30-day notice of new sub-processors via email or portal.
Penetration testing	Annual cadence	Independent third-party penetration testing scheduled annually. First report scoped Q3 2026.
Incident response	Ready	Documented IR plan with customer notification SLAs. See §06.
ISO 27001	Not in scope	Not currently pursued. Customers requiring ISO 27001 should contact security@loudnai.ai to discuss scope.

/ 02 Membership · Vetted

NVIDIA Inception Program

LouDNAi is a member of the NVIDIA Inception program — NVIDIA's program for AI startups. Membership reflects vetting against NVIDIA's eligibility criteria for AI, deep learning, and data science companies.

What this means

Inception membership confirms LouDNAi is a for-profit company actively building AI products, has been reviewed and accepted by NVIDIA, and maintains an up-to-date profile in NVIDIA's member portal. Membership grants access to NVIDIA's developer ecosystem, training resources, and partner network.

What this does not mean

Inception membership is not an endorsement, certification, or guarantee by NVIDIA of any LouDNAi product or service. LouDNAi does not represent that any LouDNAi product is supervised, reviewed, or approved by NVIDIA.

For NVIDIA's program documentation, see the NVIDIA Inception program page.

/ 03 Audit · In flight

SOC 2 audit

SOC 2 (System and Organization Controls 2) is the AICPA's audit framework for evaluating a service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy. LouDNAi's SOC 2 Type 1 audit is currently in flight.

SOC 2 · Type 1

In progress

What it covers: A point-in-time evaluation that LouDNAi's controls are designed effectively as of the audit date.

Trust Services Criteria in scope: Security, Availability, Confidentiality.

Target completion: Q3 2026.

Status: GRC platform deployed. Control evidence collection underway. Auditor engagement letter executed.

SOC 2 · Type 2

Scoped

What it covers: A six- to twelve-month evaluation that controls are operating effectively over the observation period.

Observation window begins: Immediately following Type 1 issuance.

Target completion: Q1 2027.

Annual renewal: Yes. Type 2 reports refreshed every twelve months.

How it's being run

LouDNAi uses a leading GRC (governance, risk, and compliance) platform to manage continuous control monitoring, evidence collection, and auditor coordination. The platform integrates with our infrastructure to surface configuration drift, access reviews, and policy adherence in real time. The audit itself is conducted by an AICPA-licensed CPA firm with experience auditing AI infrastructure providers.

How to access the report

Once SOC 2 Type 1 is issued, the report will be available to active and prospective customers under NDA. Request via security@loudnai.ai with your company name and use-case. Typical turnaround: 3 business days.

Important disclosure SOC 2 Type 1 is currently in process. An audit-in-process is not a guarantee of compliance until the report is issued. Statements about LouDNAi's control posture are based on internal review and are subject to confirmation by the third-party auditor. LouDNAi will update this page promptly upon material status change or report issuance.

/ 04 Healthcare-grade

HIPAA-ready architecture

"HIPAA-ready" means LouDNAi's infrastructure is designed to support HIPAA-compliant deployments when paired with a signed Business Associate Agreement. There is no such thing as "HIPAA-certified" — HHS does not issue certifications. What LouDNAi commits to is the technical, administrative, and physical safeguards required of a Business Associate under 45 CFR § 164.

Technical safeguards

Access control. Unique user identification, automatic logoff, role-based access controls, MFA-required for all production access.
Audit controls. Comprehensive audit logging of every access to systems containing PHI, retained ≥ 6 years per HIPAA requirements.
Integrity controls. Cryptographic checksums, immutable audit logs, change-detection on all production data stores.
Transmission security. TLS 1.3 for all data in motion. No unencrypted channels for PHI under any circumstance.
Encryption. AES-256 at rest. Per-tenant encryption keys with customer-managed key (CMK) options on enterprise tier.

Administrative safeguards

Security officer. Designated HIPAA Security Officer accountable for the safeguards program.
Workforce training. All workforce members with PHI access complete annual HIPAA training and sign confidentiality agreements.
Access management. Least-privilege principle. Quarterly access reviews. Automated deprovisioning on workforce changes.
Incident response. Documented breach notification procedures consistent with HIPAA Breach Notification Rule timelines.
Risk analysis. Annual HIPAA risk assessment with documented remediation tracking.
Sub-processor management. All sub-processors handling PHI sign downstream BAAs. See §08.

Physical safeguards

Hosting. LouDNAi infrastructure runs on hyperscale cloud providers (AWS, Azure) under signed BAAs with each provider.
No on-premise PHI. No customer PHI is stored on LouDNAi-controlled physical hardware, employee laptops, or removable media.
Workstation security. All workforce devices managed via MDM with disk encryption, automatic patching, and remote wipe capability.

What "HIPAA-ready" does not cover

LouDNAi is not a healthcare provider. LouDNAi does not provide medical, clinical, or diagnostic advice.
AI-generated outputs in healthcare contexts require human review by appropriately licensed clinical personnel before any decision is made affecting patient care.
HIPAA compliance is a shared responsibility. Customers are responsible for their own HIPAA program, workforce training on LouDNAi tools, and downstream use of outputs.
HIPAA-ready architecture covers Business Associate obligations under 45 CFR § 164. Other healthcare regulations (e.g., 42 CFR Part 2 for substance use disorder records, state privacy laws) are scoped separately on request.

⚠ No clinical advice LouDNAi agents do not provide medical advice, diagnosis, or treatment recommendations. Any AI-generated output that touches a clinical decision must be reviewed by a licensed clinician before action is taken. This is enforced via Human-in-the-Loop gates on all healthcare-vertical agents.

/ 05 Process · 7–14 days

Business Associate Agreement (BAA)

Any customer whose use of LouDNAi will involve Protected Health Information (PHI) must execute a BAA with LouDNAi before production deployment. This is non-negotiable and is required of every Business Associate under HIPAA.

Who needs one

Any LouDNAi customer that is a HIPAA Covered Entity or a HIPAA Business Associate, where the LouDNAi engagement will involve creating, receiving, maintaining, or transmitting PHI.

Process

Standard BAA execution flow

Request initiation. Customer or LouDNAi sales lead notifies baa@loudnai.ai that PHI is in scope. The request must include customer entity name, use case summary, and intended deployment timeline.
Scoping call. A 30-minute scoping call with the customer's privacy / security lead and LouDNAi's HIPAA Security Officer to identify which agents, integrations, and data flows touch PHI.
BAA template review. LouDNAi sends our standard BAA. Customer reviews. Most enterprise customers sign LouDNAi's template; customers requiring their own template add 5–10 days for legal review.
Sub-processor BAA flow-down. LouDNAi confirms each sub-processor in scope (cloud, LLM, observability) has a current BAA with LouDNAi covering the data flow. See §08.
Execution. Both parties sign. Effective immediately on full execution. Customer-side workforce training and access provisioning then begins.
Annual review. BAA terms reviewed annually. Material changes (e.g., new sub-processor, scope expansion) require an amendment.

What's covered by the BAA

PHI processed by LouDNAi infrastructure under the engagement.
Use, disclosure, and safeguarding of PHI consistent with 45 CFR § 164.504(e).
Breach notification within 60 days of discovery, consistent with HIPAA Breach Notification Rule.
Sub-processor flow-down — every LouDNAi sub-processor handling PHI is bound by an upstream BAA with LouDNAi.
Termination and return / destruction of PHI on contract end.

What's excluded

PHI processed outside the LouDNAi engagement (e.g., on customer-controlled infrastructure not integrated with LouDNAi).
Third-party LLM providers that do not offer a BAA. If the use case requires an LLM provider that doesn't sign BAAs, LouDNAi will route to a BAA-capable model (Claude on Anthropic's BAA-eligible tier, GPT-4 on OpenAI's enterprise BAA tier, or self-hosted open-weight models).
Customer's downstream use of AI-generated outputs after delivery from LouDNAi.

Request a BAA: baa@loudnai.ai. Include company name, intended use case, and timeline.

/ 06 Defense in depth

Security posture

Every layer of the LouDNAi stack is designed under defense-in-depth principles. Below is the posture across encryption, authentication, network, application, and operational security.

Data encryption

At rest: AES-256 (FIPS 140-2 validated) on all customer data, including object storage, databases, and backups.
In transit: TLS 1.3 minimum on all customer-facing endpoints. Internal service-to-service traffic encrypted via mTLS.
Key management: Cloud-provider KMS by default. Customer-managed keys (CMK) available on enterprise tier.
Backup encryption: All backups encrypted at rest with separate key material. Off-region replication for disaster recovery.

Identity & access

Authentication: SSO (SAML 2.0, OIDC) for all customer access. MFA required for all workforce production access.
Authorization: Role-based access controls (RBAC) with least-privilege defaults.
Workforce access: Just-in-time access elevation with quarterly review. Automated deprovisioning on role change or departure.
Customer access: Per-tenant access boundaries. Customer admins manage their own user provisioning.

Network security

VPC isolation. Each tenant logically isolated. Production networks segregated from corporate networks.
Web Application Firewall (WAF). Inbound traffic filtered at the edge. OWASP rule sets active.
DDoS protection. Cloud-provider native DDoS mitigation on all public endpoints.
Egress filtering. Outbound connections from production restricted to allowlist.

Application security

Secure SDLC. Mandatory code review on every change. Branch protection enforced. Production deploys gated on automated tests.
Static analysis (SAST). Code scanned on every commit. Critical vulnerabilities block merge.
Software composition analysis (SCA). Continuous dependency scanning. Critical CVEs patched within 24 hours.
Dynamic analysis (DAST) & penetration testing. Annual third-party pen test. First report scoped Q3 2026.
Secrets management. All secrets stored in cloud-native secret manager. No secrets in code, logs, or config files.

Per-tenant data isolation

This is the failure mode of most agentic AI companies, and LouDNAi treats it as existential. Every customer is provisioned a logical tenant with its own encryption boundary, retrieval index, and audit log space. No shared embeddings, no cross-tenant fine-tunes, no cached prompts visible across customers. Cross-tenant access requires explicit administrative escalation, is logged in immutable audit trail, and is restricted to a small list of authorized SREs for incident response only.

Vulnerability management

Continuous scanning. Infrastructure and dependency scans run hourly.
Patch SLAs. Critical: 24 hours. High: 7 days. Medium: 30 days. Low: next release cycle.
Coordinated disclosure. Security researchers can report findings to security@loudnai.ai. Acknowledgment within 48 hours.

Incident response

IR plan documented. Roles, escalation paths, customer notification thresholds defined.
Customer notification. Material security incidents disclosed to affected customers without unreasonable delay, and in any event within 72 hours of confirmation.
Breach notification (HIPAA). If PHI is involved, notification consistent with HIPAA Breach Notification Rule (within 60 days of discovery).
Post-incident review. Every material incident produces a written post-mortem with remediation tracking.

Workforce security

Background checks. Pre-employment background checks for all roles with production data access.
Confidentiality agreements. Signed by every workforce member at onboarding.
Annual security training. Includes HIPAA, phishing awareness, secure development, and incident response.
Device management. All laptops MDM-managed with disk encryption, automatic patching, and remote wipe capability.

/ 07 Privacy & data residency

Privacy & data residency

LouDNAi maintains a GDPR-grade privacy posture as default — even for US-only customers. Data residency, retention, and customer rights are explicit, contractual, and enforceable.

Data Processing Agreement (DPA)

LouDNAi's standard DPA is GDPR Article 28-aligned and incorporates the EU Standard Contractual Clauses (SCCs) for international transfers where applicable. The DPA is executed prior to any production data being transferred. Most customers sign LouDNAi's standard DPA; customers requiring their own template add 5–10 days for legal review.

Customer rights under the DPA

Right of access. Customers can request a copy of personal data LouDNAi processes on their behalf.
Right to rectification. Customers can correct inaccurate personal data.
Right to erasure. Customers can request deletion of personal data, subject to legal retention requirements.
Right to portability. Customers can export their data in standard formats.
Right to restrict processing. Customers can pause processing pending dispute resolution.

Data residency

US default. Customer data processed and stored in US regions of supported cloud providers.
EU residency. Available on enterprise tier. EU-only processing with no US data transfers.
Custom residency. Other regions available on request, subject to cloud-provider availability.

Retention & deletion

Active customer data. Retained for the term of the customer agreement.
Audit logs. Retained ≥ 6 years per HIPAA / SOC 2 requirements.
On termination. Customer data deleted within 30 days of contract termination, unless legally required to retain. Deletion certificate available on request.
Backups. Backup retention follows the active-data lifecycle. Backups are deleted on the same schedule.

State and regional privacy laws

LouDNAi's privacy program is designed to support compliance with applicable US state privacy laws (CCPA / CPRA, VCDPA, CPA, CTDPA, UCPA, and others) and the EU GDPR / UK GDPR. Customer-specific compliance with state-level AI laws (e.g., Colorado AI Act, NYC bias audit law) is a shared responsibility — LouDNAi provides the technical and contractual scaffolding; customers retain responsibility for their lawful basis, notice obligations, and downstream use.

Request a DPA: legal@loudnai.ai. Include company name, jurisdiction, and intended data flows.

/ 08 Disclosure

Sub-processors

LouDNAi engages sub-processors to deliver the service. Below is the current list with role, data category, and BAA / DPA status. Customers receive 30 days' advance notice of new sub-processors via email and the customer portal.

Sub-processor	Role	Region	BAA	DPA	Notes
Amazon Web Services (AWS)	Cloud infrastructure	US (us-east-1, us-west-2)	Yes	Yes	Primary cloud. EU regions available for EU residency.
Anthropic (Claude)	LLM provider	US	Yes (BAA-eligible tier)	Yes	Default reasoning model. PHI workloads route only to BAA-eligible Claude tier.
OpenAI	LLM provider	US	Yes (Enterprise / API enterprise)	Yes	Used for tool-use workloads. PHI routes only to BAA-eligible enterprise tier.
Google Cloud (Gemini)	LLM provider	US	Yes	Yes	Used for multimodal and cost-optimized workloads.
Pinecone	Vector database	US	Yes	Yes	Per-tenant index isolation. Also used: pgvector self-hosted on AWS.
Langfuse / Helicone	LLM observability & tracing	US (self-hosted option available)	Yes (self-hosted)	Yes	PHI workloads use self-hosted deployment in LouDNAi VPC.
Stripe	Billing & payments	US	N/A — no PHI	Yes	Customer billing only. No customer-end-user data.
Auth0 / Clerk	Authentication & SSO	US	Yes (Auth0 enterprise)	Yes	Workforce and customer identity management.
Postmark / SendGrid	Transactional email	US	N/A — no PHI in email	Yes	System notifications only. PHI never sent via email.
Vanta / Drata	GRC & SOC 2 platform	US	Yes	Yes	Continuous control monitoring. No customer data processed.

Note for procurement teams: The list above is current as of April 2026. The authoritative, real-time sub-processor list is maintained at loudnai.ai/legal/subprocessors and is updated within 5 business days of any change.

⚠ Sub-processor BAA flow-down Every sub-processor listed above with a "Yes" in the BAA column has a current Business Associate Agreement with LouDNAi covering the data category they process. PHI is never routed to a sub-processor without an in-place BAA. If a sub-processor is added that requires a BAA, the BAA is executed before any production data flows.

/ 09 Responsible AI

Responsible AI commitments

Agentic AI in regulated verticals creates real-world risk. LouDNAi treats responsible AI as a contractual commitment, not a marketing posture.

Human-in-the-loop (HITL) gates

The following actions cannot be executed by LouDNAi agents without human review by an authorized customer-side reviewer. This is enforced in code, not policy:

Patient charting, prior authorization submissions, or any clinical decision affecting patient care.
Contract execution, MSA negotiation, or any binding commercial agreement on behalf of a customer.
Financial transactions, invoice posting, or any irreversible accounting action.
Legal advice, tax filings, or regulatory submissions.
Outbound communications to a customer's customer that materially commit the customer to action.

Output disclaimers

All AI-generated outputs include a machine-readable disclaimer flagging them as AI-generated, requiring customer review before action, and noting that LouDNAi does not provide medical, legal, or financial advice.

Model evaluation & drift monitoring

Pre-deployment evaluation. Every customer-facing agent passes a per-archetype eval suite before deployment.
Continuous evaluation. Production agents are re-evaluated against frozen baselines on a weekly cadence. Drift outside acceptable ranges triggers automatic rollback.
Hallucination flagging. Outputs flagged for low confidence are routed to HITL review before delivery.
Customer feedback loops. Customers can flag specific outputs as incorrect; flags feed back into evaluation suites and training data.

Bias & fairness

LouDNAi commits to ongoing bias review of agent outputs in regulated verticals (Healthcare, Financial, Legal). Customer-specific bias audits available on request for enterprise tier.

Model provenance

LouDNAi pins specific model versions in production. Model upgrades follow a canary release process — 5% of traffic for 48 hours of shadow evaluation before full rollout. Customers may request model-version disclosure for any specific deployment.

What LouDNAi will not do

Use customer data to train shared models. Customer data is used only to serve that customer, never to improve a model that benefits other customers.
Provide medical, legal, or financial advice. LouDNAi is not a healthcare provider, law firm, or financial advisor. Outputs in regulated domains require licensed-professional review.
Deploy autonomous agents in life-safety contexts. No LouDNAi agent operates without HITL gates in any context where its action could directly affect physical safety.

/ 10 Procurement workflow

How to request documents

Procurement teams, security reviewers, and counsel can request the following documents. Each is provided under NDA where applicable, with typical turnaround of 1–5 business days.

Security questionnaire response

Pre-completed responses to common questionnaires (CAIQ, SIG, custom). Saves your team 2–4 hours.

Request →

SOC 2 Type 1 report

Available under NDA following audit issuance (target Q3 2026). Until then, a "letter of engagement" is available confirming audit-in-progress.

Request →

Penetration test report

Executive summary available under NDA following first pen test (target Q3 2026).

Request →

Business Associate Agreement (BAA)

Standard template available on request. Required before any PHI processing. Typical execution: 7–14 days.

Request →

Data Processing Agreement (DPA)

GDPR-grade default. Required before any production data transfer.

Request →

Sub-processor list (real-time)

Authoritative, current sub-processor list with BAA / DPA status.

View list →

Insurance certificates

Tech E&O + Cyber liability certificates available on request for enterprise customers.

Request →

Custom security review

Enterprise customers can request a 60-minute walkthrough with LouDNAi's Security & Compliance lead.

Schedule →

/ 11 Version history

Changelog

Material changes to this page are documented below. Customers are notified of changes via the customer portal and email.

April 2026 · v1

Initial publication. Establishes compliance posture across NVIDIA Inception, SOC 2 (in flight), HIPAA-ready architecture, BAA process, security controls, privacy & data residency, sub-processor disclosure, and responsible AI commitments.

Future changelog entries will document material posture changes — SOC 2 Type 1 issuance, sub-processor additions, control updates — with the date and a brief description of what changed.