Procurement-ready on day one.
The enterprises we work with run rigorous diligence reviews. Our security, governance, and compliance posture is documented for that conversation — data ownership, encryption, access control, incident response, audit trails, and references on request. HIPAA and BAA available for regulated workloads.
Your data stays yours
Systems run in your environment under your controls by default. We don't train external models on your data. Hosted workloads sit in isolated, customer-specific tenants.
Auditable by design
Evaluation suites, human approval gates on anything irreversible, hard cost caps, and an immutable decision log on every system we operate. Humans stay in control.
At rest + in transit
AES-256 at rest, TLS 1.3 in transit. KMS-managed encryption keys. Customer-specific tenants for sensitive workloads.
Least-privilege, MFA on everything
Role-based access on production, MFA-required for every internal account, time-bound credentials for vendor sub-processors.
Tiered, time-bound, transparent
Sev 1 / Sev 2 escalate to founders within 30 minutes. Customer notification within 60. Post-incident report within 5 business days.
Type II in progress
Audit window opens later this year. In-progress program documentation shareable under NDA — controls inventory, risk register, runbook.
HIPAA program + BAA
For engagements involving PHI, we run a documented HIPAA program and sign a BAA — the discipline behind our payer-grade health-plan platform, available where the work requires it.
What procurement teams ask, with our actual answers.
Diligence pack on request.
BAA, DPA, sub-processor list, in-progress SOC 2 documentation, most recent penetration test report (under NDA), and customer references. Email security@valuecreatives.com or book a working session.