Trust & security

SOC 2 Type II status

SentientWeb is not currently SOC 2 certified. Security-conscious customers can review the control areas, data flow, subprocessors, retention expectations, and human-handoff rules before a production deployment. Where appropriate, trust materials can be shared under NDA during procurement review.

Until a report is issued, do not treat this page as a SOC 2 attestation. We use it to describe the operating controls and security posture customers should review before production deployment.

Data handling & infrastructure

Customer content processed through SentientWeb, including request transcripts, configuration, and knowledge sources you connect, is handled with contracts and technical controls appropriate to a subscription-business software provider. We use modern encryption for data in transit, protect data at rest with industry-standard mechanisms, and limit internal access to what is required for support and operations.

We rely on reputable cloud and AI infrastructure providers for hosting, databases, and model inference. We evaluate subprocessors for security posture and contractual commitments; the current vendor evidence register is maintained in our compliance records and must be validated before production deployment.

Procurement gates for regulated buyers

Security-conscious teams should treat trust review as a pilot gate, not a surprise after launch. Before SentientWeb touches sensitive production pages, customers can request a vendor questionnaire response, subprocessor summary, data-flow review, retention review, and the exact human-handoff rules for high-risk questions.

Healthcare and regulated deployments require extra scoping. SentientWeb is not currently offering a blanket BAA for every pilot. HIPAA-aligned content handling may be available for scoped deployments after legal and security review. If your use case could involve PHI or similarly regulated data, the pilot should be limited to approved website content, non-PHI demo qualification, and human escalation until a signed BAA or equivalent legal path is in place.

Access, logging & incident response

Administrative access to production systems is restricted, authenticated, and logged. We maintain procedures for security incident identification, containment, and customer notification where required by law or contract. We welcome responsible disclosure of vulnerabilities and will work with researchers in good faith.

Your responsibilities

Security is shared. You are responsible for safeguarding your accounts, API keys, and integration credentials; for configuring routing and retention in line with your policies; and for ensuring that content you connect to the product complies with applicable regulations (including privacy and industry-specific rules). We provide tools and documentation to help you deploy safely; your legal and compliance teams should review fit for your jurisdiction and use case.

Questions & questionnaires

For security reviews, vendor questionnaires, or SOC 2-related questions, contact us at songday@sentientwebsite.com. We are happy to work with procurement and InfoSec teams before production launch.