Security & Compliance Portal

Trust is our Foundation.

Our stateless architecture ensures client data remains secured within the cloud perimeter, never touching local hardware.

Stateless Endpoints

No client data is ever stored on local hardware. Laptops act as secure viewports connecting via encrypted SSH/HTTPS tunnels to cloud instances.

AI Governance

Strict guardrails for LLM usage. No client PII or proprietary data in prompts, model training disabled, and all AI-generated code is peer-reviewed before commit.

Cloud Isolation

Dedicated environments on AWS and IBM Cloud with logical separation. All production data processing and storage occurs exclusively within cloud instances.

Access Control

  • Least Privilege: Access restricted to authorized personnel only, scoped to role requirements.
  • MFA Enforced: Multi-Factor Authentication mandatory across all corporate accounts (AWS, IBM, GitHub, Google Workspace).
  • Centralized Identity: Managed @ventral.ai identities via Google Workspace with immediate revocation on offboarding.

AI Governance

  • Approved Tools: Gemini, Claude, and ChatGPT for code optimization. New tools require Founder approval.
  • No PII in Prompts: Client secrets and proprietary algorithms are never entered into AI assistants.
  • Training Disabled: "Improve Model" / "Data Training" settings disabled on all corporate AI accounts.

Compliance Status

We are actively building our compliance program toward formal certification. Contact us for our current security documentation.

SOC 2 Type 1 — In Preparation (Targeting 2026)
GDPR Readiness — In Progress
Security Policies — Published (v1.0)

Infrastructure & Encryption

Cloud-Native Architecture

  • All production data hosted on AWS and IBM Cloud
  • No physical data centers — inheriting AWS/IBM physical security controls
  • Local GPU workstations used strictly for internal R&D and synthetic data, logically isolated from production

Encryption Standards

  • In Transit: TLS 1.2 or higher for all data transmission
  • At Rest: AES-256 encryption for cloud storage (S3, RDS)
  • Endpoints: Full Disk Encryption (FileVault/BitLocker) enforced on all team laptops

Sub-processors

We review the SOC 2 and ISO reports of all critical vendors annually.

Entity Service Certifications
AWS Infrastructure & Storage SOC 2, ISO 27001
IBM Cloud GPU Compute SOC 2, ISO 27001
Google Workspace Identity & Collaboration SOC 2, ISO 27001
GitHub Development & Version Control SOC 2, ISO 27001
Slack Client Communication SOC 2, ISO 27001
Hostinger Web Hosting SOC 2, ISO 27001
Formspree Form Processing SOC 2 Type II

Request Security Packet

Get access to our detailed roadmap, internal policies, and sub-processor SOC 2 reports.

Form submissions are processed by Formspree (SOC 2 Type II certified).

Privacy Notice

Data We Collect

When you submit the "Request Security Packet" form, we collect your name and work email address solely for the purpose of responding to your request.

Lawful Basis for Processing

We process your personal data based on your explicit consent (GDPR Article 6(1)(a)), which you provide by checking the consent box on our form. You may withdraw consent at any time by emailing security@ventral.ai, without affecting the lawfulness of processing based on consent before its withdrawal.

How We Process It

Form submissions are processed by Formspree, a SOC 2 Type II certified form processing service. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Submitted data is forwarded to our Google Workspace (SOC 2, ISO 27001) email system. This website is hosted by Hostinger (SOC 2, ISO 27001). A complete list of our sub-processors is available in the Sub-processors section above.

Data Retention

We retain form submission data for 12 months from the date of your last interaction with us. After this period, your data is deleted from all our systems and sub-processors.

International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area. We ensure appropriate safeguards through Standard Contractual Clauses (SCCs) with all sub-processors, including Formspree and Google Workspace.

Cookies & Tracking

This website does not set any cookies, use analytics, or employ tracking technologies. All resources (fonts, styles, scripts) are self-hosted — no data is transmitted to third-party CDNs when you visit this page.

Your Rights

Under GDPR, you have the right to: access your personal data, request rectification or erasure, restrict processing, object to processing, and data portability. To exercise any of these rights, contact us at security@ventral.ai. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is AZOP (Agencija za zastitu osobnih podataka), Zagreb, Croatia.

Data Controller

Ventral AI is the data controller for information collected through this page. For privacy inquiries: security@ventral.ai