Security you can verify.
Your SQL, code, and workflows are someone's intellectual property. Here's exactly what we do to earn the right to process it — no hand-waving, no buzzwords, just the controls we have live today and the ones we're actively working toward.
Our security principles
Four commitments that drive every technical decision we make — and that we'll fail a security review on if we break them.
Your data stays yours
We process artifacts to convert them, then deliver the result. Your source code is never used to train our models, never sold, never shared with third parties. Delete your account, delete your data — end of story.
Defense in depth
TLS 1.2+ everywhere. Encryption at rest via Google Cloud defaults (AES-256). Role-based access at every layer. Auth sessions expire idle after 30 minutes. Every privileged action is audit-logged with a SOC 2-aligned schema.
Least privilege, always
Services run with minimal IAM scopes. Engineers have no production data access by default. Admin actions require explicit elevation and are logged. Our own SSO is enforced internally — we eat our own dog food.
Transparency, not marketing
We don't claim certifications we don't have. Our live status page shows real uptime. Incidents are published openly. If we miss an SLO, you'll know before your CEO asks.
Controls — what's live today
Every security control we claim, with current status. "Live" means it's deployed and customers depend on it in production.
| Control | Status | Details |
|---|---|---|
| Data encryption at rest | LIVE | AES-256 via Google Cloud Storage + Firestore defaults. Customer-managed keys (CMEK) available on Enterprise by request. |
| Data encryption in transit | LIVE | TLS 1.2+ on all endpoints. HSTS enabled. Automatic certificate rotation via Google-managed certs. |
| Role-based access control | LIVE | Workspace-level roles: Owner / Editor / Viewer. Enforced at route level and in the service layer. |
| Audit log (SOC 2-aligned schema) | LIVE | Every privileged action written to audit_events with actor, subject, timestamp, IP, user-agent. CSV export for auditors. Categories map to SOC 2 CC6.x / CC7.x. |
| Google SSO | LIVE | OAuth 2.0 + OpenID Connect. Session-based, idle-timeout 30 min. No password storage on our side. |
| SAML 2.0 SSO | LIVE | Per-tenant federation with Microsoft Entra, Okta, Ping, ADFS. Enabled on Enterprise plan. |
| Magic-link email auth | LIVE | 6-digit one-shot codes, 30-minute expiry, SHA-256-hashed at rest, rate-limited per email. No passwords, no breach risk. |
| API bearer tokens | LIVE | Per-user tokens with scopes, rotation, revocation. SHA-256-hashed at rest. Max 5 active per user. |
| Cost guardrails + budget caps | LIVE | Daily LLM spend cap, preflight cost estimation, kill-switch on budget breach. Prevents runaway spend from a misconfigured batch. |
| Public status page + incident history | LIVE | Real-time component health + admin-curated incident timeline at /status. |
| Session idle timeout | LIVE | 30-minute idle timeout, server-enforced. Users re-authenticate after inactivity. |
| Data residency (region choice) | ROADMAP | Today: all data in us-central1. EU region on request for Enterprise; full self-serve region picker in the roadmap. |
| SOC 2 Type II attestation | ROADMAP | Controls are SOC 2-aligned today. Formal audit (Drata/Vanta + third-party auditor) begins when we hit revenue thresholds that justify the investment. Target: 2027. |
| Penetration testing | ROADMAP | Planned ahead of our first enterprise contract. Will publish a summary letter on this page once complete. |
| On-prem / private-VPC deployment | ON REQUEST | Docker-based private deployment available for Enterprise customers with data-sovereignty requirements. Contact sales. |
Sub-processors
Services we use to operate JarvisX. All process data under written agreements (DPAs) that bind them to the same security standards we commit to with you.
| Provider | Purpose | Data types |
|---|---|---|
| Google Cloud Platform | Compute, storage, database, identity | All customer artifacts + metadata |
| Anthropic (Claude) | Primary LLM for code/SQL conversion | Source artifacts during conversion (ephemeral, not retained by Anthropic per their enterprise DPA) |
| OpenAI | Fallback LLM | Source artifacts during conversion (subject to OpenAI API DPA) |
| Postmark / SendGrid | Transactional email delivery | Email addresses, sign-in codes, notification content |
| Stripe | Payment processing | Billing address, last-4 card digits (Stripe is PCI DSS Level 1) |
| Razorpay | Payment processing (INR) | Billing address, payment metadata |
This list changes when we add/remove vendors. Enterprise customers receive 30 days' notice of material changes.
Where we're going next
We publish our compliance roadmap because enterprise buyers deserve to know what's coming, not just what exists today.
SCIM provisioning
Automatic user lifecycle from Entra / Okta — provision and deprovision without a manual step.
Penetration test #1
Independent third-party pen test; summary letter published here.
ISO 27001 gap assessment
Pre-audit gap analysis ahead of a formal ISO 27001 certification path.
SOC 2 Type II attestation
Formal audit report available under NDA to enterprise customers.
CMEK / region pinning
Customer-managed encryption keys and EU region deployment for Enterprise.
On-prem / private VPC
Docker-based air-gapped deployment for data-sovereignty-constrained customers.
Incident response
When something breaks, here's how we handle it.
📢 Public status page
Real-time component health at gojarvisx.ai/status. Incidents are posted within 15 minutes of detection.
⏱ Breach notification
If a security incident affects your data, you'll hear from us within 72 hours as required by GDPR Art. 33 — direct email to the account owner, no dashboards to check.
🔍 Post-incident reviews
Every Sev-1 incident gets a public post-mortem within 7 days. No blame, just root cause + corrective actions. Published on the status page.
Agreements + legal
📄 Terms & Privacy
Our Terms of Service and Privacy Policy are written in plain English, not lawyer-speak.
🤝 DPA (Data Processing Agreement)
Standard DPA available to Enterprise customers — GDPR Art. 28 compliant, covers SCCs for cross-border transfers. Contact enterprise@gojarvisx.ai.
📋 Security review
Working through your security questionnaire? Start with our detailed security review → It answers most CAIQ / SIG Lite questions in one page.
Have a question we didn't answer?
Security teams, procurement, or compliance officers — we'd rather you ask than guess. We reply within one business day.
Last reviewed: April 2026. This page is versioned — material changes are announced to Enterprise customers 30 days in advance. For questions: security@gojarvisx.ai.