Your compliance artifacts, in one place
Certifications, audit reports, DPA, subprocessor list, and data-handling practices. Most artifacts are available to enterprise customers within one business day after NDA.
Certifications and registrations
Validated by independent auditors and regulators.
SOC 2 Type II
Annual audit by an independent CPA firm. Covers security, availability, and confidentiality. Report under NDA.
ISO/IEC 27001:2022
Certified ISMS. Certificate renewed annually and published publicly.
KZ AI Law · GDPR
Compliance labels attached to every request. DPA with every enterprise customer.
Annual pentest
External pentest by an accredited firm. Scope and methodology under NDA, summary available to enterprise customers.
Artifacts
What we provide to enterprise customers and in what format.
| Artifact | Access | Format |
|---|---|---|
| SOC 2 Type II — annual report | Under NDA | PDF (150+ pages) |
| ISO/IEC 27001:2022 — certificate | Public | |
| ISO 27001 — statement of applicability | Under NDA | |
| Annual pentest — summary report | Under NDA | PDF + CVE list |
| Data Processing Agreement (DPA) | With contract | Word, digital signature |
| Subprocessor list | Public | JSON + RSS for change notices |
| Security overview pack | On request | PDF (architecture, processes, controls) |
| Penetration test — scope & methodology | Under NDA |
How we handle data
Short answers to the questions security teams ask most often.
Where is data physically stored?
In data centers inside Kazakhstan. Production, backups, logs, billing — all in-country. Cross-border transfer happens only when a customer explicitly picks a foreign model provider.
How long do you retain requests?
Prompt and completion content: 30 days for debugging and regulatory audit. Metadata (ID, tokens, cost): 5 years per tax law.
Do you use our data for training?
No. Never. We do not train models on customer data. Model providers are contractually bound not to use enterprise customer data for training.
Encryption?
TLS 1.3 in transit, AES-256 at rest. Keys managed via KMS with monthly rotation and an access audit log.
Subprocessors?
The full list is published publicly. Change notifications go to enterprise customers at least 30 days in advance.
Request the security pack
One email — and within a business day you'll have an NDA, DPA template, and access to the artifact repository.