# Perathos Security Packet

Perathos is an early-stage startup. This packet is intended for enterprise evaluation and procurement review. Perathos does not claim SOC 1, SOC 2, ISO 27001, HIPAA, FedRAMP, or other formal certification unless a completed audit or formal program exists.

## Company Overview

Perathos provides AI verification middleware for teams evaluating high-stakes AI workflows. Public trust information is intentionally conservative: current controls, limitations, and planned controls are separated.

## Architecture Summary

```text
Customer application
  -> Perathos API or workflow entry point
  -> configured verification flow
  -> verdict and evidence reference returned to customer workflow
```

The exact hosting provider, model provider, data retention, and subprocessor list are confirmed per deployment.

## Data Flow Diagram

```text
Customer request/response data
  -> scoped processing for verification
  -> operational logs and evidence fields where configured
  -> retention/deletion according to customer agreement and deployment design
```

## Access Control Model

Access is based on least privilege and business need. Customer workspace administration, user removal, and role controls should be demonstrated from the live product before being used as procurement evidence.

## Logging Model

Operational logging and run history are expected control areas. Logs, timestamps, metrics, and errors should be shown from the product environment in scope before being treated as live audit evidence.

## Retention Model

Retention should be defined by data type, customer agreement, and operational need. Perathos should avoid retaining customer content longer than needed for service delivery, support, security, or legal obligations.

## Incident Response Summary

Perathos uses a lightweight incident flow: identify, contain, investigate, recover, communicate, and document corrective actions. Customer notification terms should be agreed in the contract or pilot terms.

## Current Public Controls

### Security contact path

Status: current

Security inquiries can be submitted through the site contact flow. A dedicated security mailbox is planned once it is operationally configured.

Evidence: Public /security-contact route and security.txt contact URL.

### No false certifications

Status: current

Perathos does not claim SOC 1, SOC 2, ISO 27001, HIPAA, or FedRAMP certification without a completed audit or formal program.

Evidence: Public trust center and automated claim scanner.

### Security questionnaire

Status: current

A ready-to-paste questionnaire helper is available with direct answers, limitations, and planned controls.

Evidence: Public questionnaire page and generated markdown.

### Responsible AI policy

Status: current

The public policy explains how AI should be used in development and operations without exposing secrets or customer data.

Evidence: Public responsible AI page.

### Incident response summary

Status: current

A lightweight incident response framework is published with triage, containment, recovery, and customer communication expectations.

Evidence: Public incident response page and issue template.

### Security packet

Status: current

A lightweight security packet is available as a page section and generated markdown download for procurement review.

Evidence: Generated public/security-packet.md.

## Security Control Areas

### Access control

Current: Least privilege is the required operating principle. Product-specific workspace access controls should be shown from the live deployment before being used as evidence.

Planned: Document role matrix, access review cadence, and customer workspace administration evidence.

### Secrets and authentication

Current: Secrets must not be committed to source code or shared in documents. This page does not claim write-only secrets or API key expiration unless demonstrated in the customer environment.

Planned: Publish evidence for API key expiration, secret creation behavior, and credential rotation once verified.

### Logging and auditability

Current: Operational logs should support investigation and procurement review. This page does not claim complete run history evidence unless the deployment shows it.

Planned: Document run logs, timestamps, metrics, errors, manual execution events, and alert behavior for each production deployment.

### Data protection

Current: Data handling is scoped by customer agreement and deployment design. Column anonymization is not represented as active unless demonstrated.

Planned: Publish the supported anonymization, retention, deletion, and export controls for the production product.

## Responsible AI Rules

### Customer data is not training data by default

Perathos should not train models on customer data unless explicitly agreed in writing and technically supported in the deployment.

### Restricted data stays out of unapproved AI tools

Secrets, credentials, regulated data, private customer content, and production exports should not be entered into unapproved AI tools.

### Human review remains required

AI-assisted code, documentation, and operational outputs require human review before production or customer use.

### Limitations are disclosed

If a model provider, product mode, or deployment cannot technically enforce a requested restriction, that limitation should be disclosed before production use.

## Procurement FAQ

### Are you SOC 1 or SOC 2 certified?

No. Perathos does not currently claim SOC 1 or SOC 2 certification. We are building a control roadmap and will pursue formal audit readiness as customer scale and audit scope justify it.

### Do you support customer isolation?

Customer isolation should be implemented through tenant scoping and least-privilege access. Dedicated or stronger isolation patterns can be planned for enterprise deployments when required.

### What is your retention policy?

Retention should be defined by data type, customer agreement, and operational need. Perathos should avoid retaining customer content longer than needed for service delivery, support, security, or legal obligations.

### Do you train AI models on customer data?

Perathos should not train models on customer data unless explicitly agreed in writing. If model training or vendor improvement is not technically disabled in a specific environment, that limitation must be disclosed before production use.