Privacy & Security
How ramAIn protects your data, the certifications we hold, and the controls behind every workflow that runs on your behalf.
How ramAIn protects your data, the certifications we hold, and the controls behind every workflow that runs on your behalf.
Foundation — audited, encrypted, yours alone
ramAIn is built for regulated work — insurance, healthcare, finance. Every control is documented, every sub-processor disclosed, every customer's data isolated. Your workflows never train our models.
Independently audited
SOC 2 Type 1 and ISO 27001:2022 certified. HIPAA & GDPR aligned end-to-end.
Encrypted everywhere
TLS 1.2+ in transit, AES-256 at rest. Managed keys, regular rotation.
No model training
Customer content is never used to train general-purpose AI models. Contractual zero-retention with our inference sub-processors.
Customer-controlled deployment
Multi-tenant SaaS or Private VPC — your environment, your keys, your network.
Certifications — two attestations, four frameworks aligned
SOC 2 Type 1
Independent auditor's report on Security, Availability & Confidentiality. As of 16 Jan 2026. Type 2 due 1st week May 2026.
ISO 27001:2022
Information Security Management System certified by Intercert Inc. against the latest 2022 standard. Cert · A2512187. Initial certification.
HIPAA & GDPR aligned
BAA available for covered entities. EU SCCs, UK IDTA and India DPDPA terms baked into our DPA.
Aligned regulatory frameworks
- CCPA / CPRA — California consumer privacy rights honored: access, delete, correct, opt-out.
- UK GDPR — UK International Data Transfer Addendum executed alongside EU SCCs.
- India DPDPA 2023 — Cross-border transfer terms for India's Digital Personal Data Protection Act.
- EU SCCs (2021/914) — Module Two Controller-to-Processor clauses incorporated by reference. Executed.
01 / Independent audits
Two third-party attestations covering controls, processes and the design of our information security management system.
SOC 2 Type 1 — Security, Availability & Confidentiality
| Field | Value |
|---|---|
| Standard | TSP 100 (2017) |
| Description criteria | DC 200 (2018) |
| Scope | Cloud-hosted application |
| Subservice orgs | AWS · GCP |
| Report date | As of January 16, 2026 |
What's in scope. An independent service auditor examined the description of our system and the suitability of the design of controls supporting our service commitments.
- Security — logical access, encryption, network controls, and protection of system resources.
- Availability — operational uptime, monitoring, backup and recovery procedures.
- Confidentiality — information designated as confidential is protected during processing, transmission and storage.
- Annual risk assessment & ongoing monitoring — documented control activities, monitoring, and corrective-action tracking across the organization.
ISO 27001:2022 — twenty-seven policies, audited end-to-end
| Field | Value |
|---|---|
| Auditor | Intercert Inc. |
| Application | Initial certification |
| SOA version | v1.0 |
| Evidence platform | Sprinto |
| Report | A2512187 · Intercert |
What was audited. Conformity of our ISMS to ISO 27001:2022, the design of our risk treatment plan, and the implementation and effectiveness of selected controls.
- Risk & access management — Risk Management, Acceptable Usage, and Access Control policies + procedures.
- Asset, data & encryption controls — Asset Management, Data Classification, Data Retention, and Encryption policies.
- Network & endpoint security — Communications & Network Security, Endpoint Security, and Operations Security procedures.
- Resilience & incident response — Business Continuity & Disaster Recovery, Incident Management, and Data Breach Notification policies.
Built for regulated industries
HIPAA — US healthcare
For covered entities and business associates handling PHI. ramAIn signs a Business Associate Agreement on request, with administrative, physical and technical safeguards mapped to the HIPAA Security Rule. RBAC + MFA on all PHI-touching systems. Dedicated PHI breach notification procedure (SPR-PHI-DBNP).
GDPR — EU / UK / India
EU Regulation 2016/679, UK GDPR and India's DPDPA 2023. Customers act as Controllers; ramAIn is the Processor and never uses Personal Data for its own commercial purposes or model training without express written consent. DPA executed alongside the MSA. Transfers covered by EU SCCs (Module Two) + UK IDTA. DPO contact privacy@ramain.ai.
02 / Secure by architecture
Privacy isn't a setting; it's how the platform is wired. Encryption, isolation and zero-retention are the defaults — not the upgrades.
Customer content stays in your tenant. Inference traffic is transient. We don't train on your data. Every workflow runs in an isolated cloud browser session tied to your organization. Outputs are persisted in your tenant's encrypted storage. AI calls leave the tenant only for the duration of an inference, under contractual zero-retention.
Zone A — Customer Tenant. Workflows, sessions, traces, secrets. Encrypted at rest with AES-256, RBAC + MFA, logical isolation. Each customer's workflows, sessions and storage are logically partitioned. RBAC enforces who in your org sees what.
Zone B — ramAIn Control Plane. Orchestrator · executor · audit log. SOC 2 controls, VPC + private subnets, centralised logging. Connection from Zone A is over TLS 1.2+.
Zone C — Inference (transient). AWS Bedrock · GCP Vertex. No retention. No training. Volatile memory only. Only the snippets of input needed to generate a response leave the tenant — and only for as long as that response takes. Connection from Zone B is over TLS 1.2+ with contracted zero-retention.
03 / Schedule 2 TOMs — eight control families, one DPA
The eight families of Technical & Organisational Measures documented in Schedule 2 of our DPA — covering access, encryption, resilience, people and vendors. Reviewed and updated periodically against current security best practice. Contractually binding — bound into every customer DPA via Schedule 2 and enforced on every sub-processor.
A · Access control
RBAC, need-to-know access. MFA on all Personal Data systems. PAM for administrative accounts.
B · Data encryption
TLS 1.2+ in transit. AES-256 at rest. Managed keys with rotation.
C · Physical security
AWS & GCP datacentre controls. SOC 2 / ISO 27001 sub-processors. Restricted on-prem access.
D · Availability & resilience
Automated, tested backups. BCP & DR plans, reviewed annually. Infrastructure monitoring & alerting.
E · Incident response
Documented IR & breach procedures. security@ramain.ai 24/7. Post-incident review & tracking.
F · Data minimisation & retention
Minimisation by design. Per-category retention periods. Automated deletion & anonymisation.
G · Personnel & training
Confidentiality obligations. Security training onboarding + annual. Background checks where lawful.
H · Vendor management
Sub-processor due diligence. Contracts equivalent to our DPA. Public list at ramain.ai/subprocessors.
04 / Sub-processors & transfers
A short, fully-disclosed list of vendors — and the legal mechanisms under which Personal Data crosses borders.
Six sub-processors, fully disclosed
Schedule 3 · approved sub-processors. Updated public register at ramain.ai/subprocessors.
| Sub-processor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Google Cloud Platform | Cloud infrastructure and transient AI / LLM inference for the orchestrator and executor. | USA · Global | SCCs / DPF |
| Amazon Web Services | Hosting, infrastructure, and AI / LLM inference. Bedrock for Claude-family inference. | USA · Global | SCCs / DPF |
| Stripe, Inc. | Billing and payment processing. PCI DSS Level 1 service provider. | USA | SCCs |
| Supabase, Inc. | Managed Postgres database services for application metadata and tenant storage. | USA | SCCs |
| Sprinto Technologies | GRC compliance platform — automated evidence collection and continuous control monitoring. | USA / India | SCCs / DPDPA |
| Intercert | Independent ISO 27001:2022 audit and certification services. | India | DPDPA rules |
Lawful international transfers, by region
EEA — EU Standard Contractual Clauses
Commission Implementing Decision (EU) 2021/914 — Module Two: Controller-to-Processor — incorporated into our DPA. Annexes I–III pre-completed in Schedules 1, 2 & 3. Governed by laws of Ireland.
United Kingdom — UK IDTA
The ICO's International Data Transfer Addendum executed as a standalone addendum referencing the Approved EU SCCs. Applies to any transfer of Personal Data from the UK under the UK GDPR.
India — DPDPA 2023
Cross-border transfers of Personal Data of Indian Data Principals conducted in compliance with the Digital Personal Data Protection Act and any applicable Central Government rules.
05 / Operations & deployment
What happens when something goes wrong — and the deployment options for teams that need a tighter perimeter than multi-tenant SaaS.
Incident response — breach notification on the clock
Primary contact — security@ramain.ai · privacy@ramain.ai. Specialised procedures: PHI Data Breach Notification (SPR-PHI-DBNP) and Data Breach Notification (SPR-DBNP). Regulator: customer's lead Supervisory Authority — assistance per DPA Clause 8.
T+0 — Detect. Incident detected. Monitoring & alerting fires. Designated security contact engaged. Incident Management Procedure (SPR-IMP) starts. Audit log opens.
≤ 24h — Triage. Scope & classify. Security team determines whether Personal Data is implicated, identifies affected tenants, and contains the issue. Initial classification recorded.
≤ 72h — Notify. Customer notification. Affected Controllers notified without undue delay — typically within 72 hours — with all GDPR Art. 33 detail then known. DBNP / PHI-DBNP triggered.
Post — Review. Remediate & learn. Post-incident review. Corrective actions tracked to closure. Updates landed in policies, controls, or sub-processor terms as needed. Closure evidence retained.
Customer rights — audit, inspect, delete
Everything you need to satisfy your own regulators, customers and auditors — without bespoke contract negotiations.
| For your security & compliance team | Detail |
|---|---|
| SOC 2 report | Type 1 available under NDA · Type 2 due 1st week May 2026 |
| ISO 27001 cert | Certificate & SOA on request |
| Audit rights | Annual right of audit per DPA Clause 11 · third-party reports satisfy by default |
| Pen tests | Annual third-party penetration testing · summary available under NDA |
| Vulnerability disclosure | security@ramain.ai · responsible disclosure process |
| For your data subjects | Detail |
|---|---|
| Access & portability | Export tenant data on request |
| Rectification | Edit or correct stored content via portal or API |
| Erasure | Deletion within contractual SLA · automated for retention-expired data |
| Objection & restriction | Pause processing on Controller instruction |
| No automated decisions | ramAIn drafts & suggests; humans approve consequential actions |
Deployment — pick the perimeter that fits
Standard — multi-tenant SaaS
Cloud Portal. Run on ramAIn's audited multi-tenant infrastructure: edge → app → data → AI, with row-level tenant isolation, KMS-managed keys and CloudWatch monitoring across regions. Hosted by ramAIn on AWS (US-East primary + DR region with cross-region encryption & replication). SOC 2 & ISO 27001 inherited. Row-level security plus tenant-scoped S3 / Postgres / Redis.
Enterprise — on-prem / Private VPC
On-prem offered. Same architecture, deployed inside your own AWS, GCP, Azure or on-prem environment. Customer-controlled infrastructure is not a sub-processor of ramAIn — your network, your keys, your audit trail.
Diligence, without the friction.
- Security team — security@ramain.ai
- Privacy & DPA — privacy@ramain.ai
- Trust portal — trust.ramain.ai · SOC 2 reports, ISO 27001 cert, sub-processor list, DPA & security whitepaper