Pragence / Trust Center
Security & Trust

Trust, built in from day one.

Your security team will ask the questions. We've already answered them — with certifications, isolation by design, every answer auditable, and an option to run inside your own perimeter.

SOC 2
Type II
Annual
ISO
27001
Certified
GDPR
Compliant
DPA available
HIPAA
BAA
On request
§01 Documentation

Everything your security team will ask for.

No gated forms. No multi-step requests. The things we can publish are downloadable below — the rest are an email away.

PDF · 42 PP · APR 2026
SOC 2 Type II report
Latest annual audit. NDA required.
Request
PDF · 4 PP
ISO 27001 certificate
Public. Download direct.
Download
PDF · 18 PP · MAR 2026
Penetration test summary
Executive summary. Full report under NDA.
Download
PDF · 14 PP
Data Processing Addendum
Pre-signed template. Edit and counter-sign.
Download
LIVE PAGE
Sub-processor list
Updated quarterly. Subscribe for changes.
Open
XLSX · CAIQ + SIG-LITE
Vendor security questionnaire
Pre-filled. Saves your team a week.
Download
§02 Defense in depth

Six layers of protection. Each one auditable.

01 · IDENTITY

Identity

MFA, SSO with Okta, Microsoft, and Google. Scoped API keys with rotation built in.

02 · NETWORK

Network

TLS 1.3 in transit. Per-organization IP allow-listing. Private networking available for Enterprise.

03 · APPLICATION

Application

Every request authenticated, authorized, and logged. Nothing happens without a paper trail.

04 · DATA

Data

AES-256 at rest. Tenant isolation enforced at the database — not as an application check.

05 · OPERATIONS

Operations

Audit logs retained 90 days by default, longer on Enterprise. Every answer is re-runnable on demand.

06 · VENDOR

Vendor

Sub-processor list published and updated quarterly. You can object to any change before it goes live.

§03 Audit trail

Every answer, fully accountable.

Six months later, your compliance team can replay any query — same sources, same answer. The example below is a real audit record.

trace_id · trc_8a9f47b2e1c0 replay · export · attest
timestamp 2026-04-28T14:32:08.412Z actor a.adesina@halberd · session sess_4e7… workspace halberd-prod query Q3 pricing changes for enterprise retrieve hybrid · 1,284 candidates · 60 reranked sources msa-2024-q4 (0.94) · pricing-memo (0.91) · rev-call-1129 (0.86) model gpt-4o-mini · 412ms · 1,189 tokens response "The Q3 amendment moved enterprise…" status ok · cite=true · guardrail=passed
§04 Sub-processors

Who sees what — and why.

Full transparency on every vendor in the path. Customer right of refusal on changes.

VENDORPURPOSEREGIONDPA
AWSCompute, storage, networkingus-east-1, eu-west-1
OpenAILLM inference (gpt-4o-mini)US (no training)
AnthropicLLM inference (optional)US (no training)
StripePayments processingUS, EU
DatadogObservabilityUS
CloudflareCDN, DDoSGlobal
Subscribe for sub-processor change notices · 30-day right of refusal on every Enterprise contract
§05 Common questions

Security FAQ

Where is data stored?+

Production lives in AWS us-east-1 by default. EU-resident customers get eu-west-1. Self-hosted customers control their own region — we never touch the data.

Do you train models on our data?+

No. Customer content never leaves your tenant for training. Our LLM providers are configured with training opted out, in writing.

What happens if a sub-processor changes?+

We give 30 days' notice. Enterprise customers have a contractual right to refuse — we'll route around it or work out a custom path.

Can we run Pragence air-gapped?+

Yes. We provide a Helm chart and reference deployment for Kubernetes. Some Enterprise customers run fully offline with internal models.

How do you handle a security incident?+

On-call rotation, 30-minute customer comms SLA for confirmed incidents, public post-mortem within 14 days. We've published every one we've had.

Next steps

See it work on your knowledge.

30 minutes with a solutions engineer. Bring a real question your current tools couldn't answer — we'll wire up a connector and try it live.

Book a demo Read customer stories