Regulated AI Security, Governance & Compliance

Security, auditability, and regulatory alignment are foundational to how we build — not capabilities added later. This page documents our security controls, compliance frameworks, AI governance practices, and the diligence materials available to qualified organisations evaluating Sense7ai as a vendor.

Built for financial services, regulated pharma, and healthcare — where trust, traceability, and accountability are non-negotiable. Built for inspection day, not demo day.

Our approach

Production-grade security, governance, and operational trust.

Sense7ai was built from the ground up for regulated enterprises. Every deployment incorporates:

Production-grade security controls

Comprehensive audit logging

Human oversight mechanisms

Operational resilience practices

Structured AI governance

Transparent vendor and sub-processor management

Our architecture and governance practices align with established industry frameworks and evolving expectations around AI risk management, cybersecurity, and third-party oversight.

Security program

Security programme and independent assessments.

Independent Assessments

Our security posture is validated through regular independent testing and ongoing operational controls.

Annual third-party application and infrastructure penetration testing
Continuous vulnerability management using industry-standard frameworks
Security monitoring, alerting, and incident response procedures
Periodic access control and configuration reviews

Audit & Documentation Availability

Qualified organisations may request applicable diligence documentation under NDA, including:

Security policies
Penetration testing and assessment summaries
AI governance documentation
Business continuity and disaster recovery documentation
Vendor and sub-processor disclosures

Compliance & governance alignment

Our practices are designed to support customer compliance initiatives across these regulated verticals.

Regulated Pharma

FDA 21 CFR Part 11 electronic records
EU Annex 11 computerised systems guidance
ICH Q9 quality risk management principles
NIST AI Risk Management Framework (AI RMF)

See the Verixa case study →

Healthcare & Privacy

HIPAA security requirements
HITECH breach notification requirements
GDPR and CCPA privacy considerations
CMS and NABH operational standards

See our healthcare approach →

Financial Services

GLBA Safeguards Rule
FFIEC third-party risk expectations
FHFA information security guidance
SR 11-7 model risk management principles

See financial services approach →

Controls

Security and AI controls.

Every Sense7ai deployment includes the following security, access, monitoring, and AI governance controls as standard.

Data Protection

How customer data is stored, transmitted, and isolated.

Encryption at rest using industry-standard practices

Encryption in transit using modern TLS protocols

Logical tenant isolation and data segregation

Configurable deployment and data residency options

Identity & Access Management

How access to systems and data is controlled and reviewed.

Role-Based Access Control (RBAC) with least-privilege enforcement

Multi-Factor Authentication (MFA) for privileged systems

Controlled administrative access workflows

Access logging and review procedures

Security Monitoring & Response

Continuous visibility across systems with structured response procedures.

Centralised security monitoring, alerting, and threat detection

Tamper-evident audit logging

Incident response and escalation procedures

Business continuity and disaster recovery processes

AI Governance & Oversight

How AI model behaviour, outputs, and decisions are governed and traced.

Model inventory, version tracking, and drift monitoring

Human-in-the-loop review for material workflows

AI output validation, explainability, and traceability

Audit trails for AI-assisted decisions

Customer data protection

Sense7ai does not use customer data for model training or fine-tuning without explicit written authorization and documented approval processes.

Supply chain

Sub-processors and supply chain transparency.

We maintain an inventory of material sub-processors and infrastructure dependencies, and make applicable disclosures available to qualified organisations as part of vendor diligence.

Lifecycle

How sub-processors are managed

InventoryAll material sub-processors and infrastructure dependencies are catalogued and maintained.
Risk & security reviewEach provider is evaluated through internal risk and security review processes.
Role-based oversightControls are scoped to each provider's role within service delivery.
Customer transparencyApplicable disclosures are available to qualified organisations on request.

Transparency

Available to qualified organisations

Where applicable, qualified customers may request:

Sub-processor disclosuresA list of material sub-processors supporting customer environments.

Data processing informationDetails on how and where customer data is processed within the service.

Vendor oversight documentationSummaries of how providers are reviewed, scoped, and monitored.

Security and governance summariesOverviews of the applicable security and governance controls.

Diligence

Diligence and procurement reviews.

We support customer-led security and procurement reviews as part of regulated vendor onboarding. The following documentation is available to qualified organisations under NDA.

Standard vendor documentation

01Security policies and assessment summaries
02Data Processing Agreements (DPAs)
03Business continuity and disaster recovery overviews
04Sub-processor disclosures
05Risk management documentation

AI vendor documentation

06AI governance documentation
07AI model risk documentation
08Data retention and deletion policies
09Model training and data usage policies
10AI incident and model failure response procedures

These represent the most commonly requested documents in regulated vendor diligence reviews. Additional documentation may be available depending on your organisation's specific compliance requirements and engagement scope.

Frequently asked questions

Is Sense7ai SOC 2 compliant?

Sense7ai is not yet SOC 2 Type II or ISO/IEC 27001:2022 certified. Both are on our compliance roadmap, with readiness planning underway and certification initiation targeted within the next few quarters. In the interim, our information security, data privacy, incident management, and cloud security policies are mapped to SOC 2 Trust Services Criteria, ISO/IEC 27001:2022 Annex A, NIST CSF 2.0, GLBA Safeguards Rule, and FFIEC IT Examination Handbook expectations — and the full policy set is available under NDA.

How do we access your security and diligence documentation?

Security and diligence documentation is shared as a standard part of the engagement process. Once a scoping conversation confirms mutual fit, the relevant documentation — covering security controls, AI governance, data handling, and compliance alignment — is provided as part of onboarding. Organisations with specific procurement requirements can request documentation earlier in the process through our security team.

Can customers conduct their own security assessments?

Yes. Security and procurement reviews are a standard part of how we onboard regulated customers — not an exception to it. Common requests include security questionnaires, architecture reviews, vendor diligence assessments, and AI governance documentation, all addressed through the engagement process.

Do you support regional or dedicated deployment requirements?

Yes. Deployment architecture, hosting configurations, and data residency options can be discussed based on your organisation's operational and regulatory requirements. These are scoped during the engagement process.

Is customer data used to train AI models?

No. Customer data is never used for model training or fine-tuning without explicit written authorisation and documented approval. This is a standing policy — not a configuration option.

Do you maintain audit logging for AI-assisted workflows?

Yes. Every AI-assisted workflow is designed for full traceability — inputs, outputs, state changes, and decisions are logged in a structured, tamper-evident format readable by technical teams, auditors, and regulators.

Which governance and risk frameworks influence your approach?

Our practices are informed by established security, risk, and governance frameworks across our core verticals — GLBA Safeguards Rule, FFIEC IT Examination Handbook, and SR 11-7 for financial services; FDA 21 CFR Part 11, EU Annex 11, and ICH Q9 for regulated pharma; HIPAA and HITECH for healthcare; and NIST AI RMF and NIST CSF 2.0 across all engagements.

What is your data retention and deletion policy?

Customer data is retained only for the duration required to deliver the engagement. Upon contract conclusion or customer request, data deletion procedures are initiated and documented. Specific retention schedules and deletion verification are addressed in the Data Processing Agreement provided to each customer.

How are you approaching EU AI Act compliance?

We are actively monitoring EU AI Act implementation timelines and their applicability to the systems we build and operate. For customers with EU exposure, we incorporate AI Act risk classification considerations into system design and governance documentation from the outset. This is an evolving area and we engage with customers directly on their specific obligations.

Contact

Contact and diligence requests.

When organisations onboard Sense7ai as a vendor, security and diligence documentation is addressed as a standard part of that process — not a separate administrative step. The right starting point is always a conversation — whether you're evaluating us for a procurement review, a security assessment, or an active engagement.

Whether you're beginning a scoping conversation, a security review, or a procurement assessment — start here. Documentation covering security controls, AI governance, data handling, and compliance alignment follows naturally from there.

Schedule a scoping call