Iedeo Trust Center
Everything an enterprise procurement, security, or compliance team needs to evaluate Iedeo โ public, current, and machine-readable. Replaces the 40-question vendor security questionnaire most teams send us by email.
Security
Encryption, access controls, vulnerability disclosure, security.txt and our incident response process.
โGDPR & UK GDPR
Article 28 DPA, sub-processor list, Schrems II SCCs, DSR handling, and EU AI Act alignment.
โHIPAA Architecture
BAA, PHI minimization, encryption, access controls, and HIPAA-eligible LLM providers.
โData Residency
US, EU, UK, UAE, India and on-prem deployment options. Self-hosted LLM choices for sovereign workloads.
โsecurity.txt
RFC 9116 standard contact for responsible vulnerability disclosure.
โStatus Page
Real-time uptime monitoring for iedeo.com and key services. (Replace placeholder URL after setting up UptimeRobot.)
โOur trust principles
Least privilege by default
Every Iedeo system, person, and service has the narrowest access scope that satisfies its task.
Encryption in transit and at rest
TLS 1.3 for transit, AES-256 for storage, with customer-managed keys available on request.
Data residency as the customer requires
Deploy in US, EU, UK, UAE, India, or on-prem. Self-hosted LLMs available where external API providers cannot be used.
Tell the customer first
Suspected incident โ 24-hour notification target to the affected controller, with full root-cause within 7 days.
Documented, audit-ready
Every engagement ships with architecture diagrams, sub-processor lists, DPA / BAA, BCP / DR plan, and audit logs.
Right to walk away
You own source code, model weights, prompts, datasets. Migrate to another vendor any quarter.
Common procurement questions
Will you sign our MSA, NDA, DPA, BAA?
Yes to all four. We accept controller-supplied templates with 2-3 business days legal review, or we provide our own. We also sign SCCs for EU-to-India transfers, and the UK Addendum for UK-to-India transfers.
Are you SOC 2 certified?
Not yet. SOC 2 Type I is on the roadmap for mid-2026, Type II for early 2027. Our architecture aligns with Common Criteria controls today (encryption, access management, monitoring, change management, incident response) and we will share our control map on request.
Where will my data live?
Your choice. We deploy in US (us-east-1 / us-west-2), EU (Frankfurt / Ireland / Paris), UK (London), UAE (me-central-1), India (Mumbai / Hyderabad) or on-prem. See our data residency page for details by use case.
How do you handle penetration tests, audits and right-to-audit?
Annual external penetration test (next: Q3 2026). Quarterly internal vulnerability scans. Customer-requested audits are honoured per the MSA โ typically annual on-prem visits for enterprise customers. Audit reports shared under NDA.
What is your incident response timeline?
Detection โ containment within 1 hour for confirmed incidents. Customer notification target: 24 hours for any incident potentially affecting their data. Full RCA delivered within 7 days. Detailed playbook available on request.
How is data returned or destroyed at contract end?
Per our MSA, customer data is returned (via secure export) or destroyed (with attestation) within 30 days of termination, unless retention is legally required. Audit logs retained for the legally required period and destroyed after.
Need something not on this page?
For procurement, security, or compliance enquiries, email [email protected]. We respond within 1 business day with the requested artifact or a meeting time.
Book a Trust Call