Security & trust / the posture, in plain terms

Trust is a deliverable.

No borrowed badges and no vague claims. Where our compliance posture stands, what is in progress, and the data-handling rules we enforce in code on every engagement.

Trust snapshot / current status stated honestly

Compliance status

HIPAAPHI under signed BAAs
SOC 2in progress, report date
CMMCLevel 2 preparation
HostingFedRAMP-aligned paths
FrameworksNIST AI RMF · OMB M-25-21

Enforced in code

Policy gating Local-model routing Audit trails Replayable traces Scoped tool access Human sign-off

Model providers

Open-weight, self-hosted cloud providers, confirm list
// statuses are kept current; ask us to evidence any line on this page posture v1

Compliance

Where each program stands.

Buyers deserve status, not spin.

Compliant

HIPAA

PHI is handled under signed BAAs, with data flows designed to the HIPAA Security Rule. Clinical work does not start without the BAA.

In progress

SOC 2

SOC 2 controls in progress on dedicated infrastructure. Report available to customers on completion.

Preparing

CMMC Level 2

Preparing for controlled unclassified information on defense contracts, tracking the Phase 2 third-party assessment requirement that begins November 2026.

Aligned

FedRAMP-aware hosting

Federal workloads deploy on FedRAMP-authorized platforms and FedRAMP-aligned hosting paths. We do not resell authorizations we do not hold.

Data handling

Commitments we enforce in code.

These are not policy-binder promises. Each one is implemented as a technical control in the governed pipeline that runs every agent action. See the approach for how the pipeline works and how we evaluate for how we prove it.

C1

Sensitive data stays local

Routing is a policy decision, enforced in code. Protected inputs run on models inside your boundary and never reach a public API.

C2

Every action is traceable

Full trace on every agent decision: replayable, auditable, exportable. If we cannot explain it, it does not ship.

C3

You own the exit

Your data, your traces, your right to walk away with all of it. Portability is designed in, not negotiated later.

C4

Humans hold the pen

Where stakes are high, an accountable person signs off before an action takes effect. Autonomy is granted, never assumed.

Subprocessors & providers

Who touches the data.

Sensitive inputs default to open-weight models on infrastructure you control. Where policy allows cloud inference, we disclose the provider before the engagement starts, and the current provider and subprocessor list is available on request under NDA. Nothing routes anywhere undisclosed.

Ask us to prove it.

Auditors, contracting officers, and CISOs welcome. Send the questionnaire, and we respond with evidence, not adjectives.

Request evidence
security: build@theanigroup.com
contracts: contracts@theanigroup.com