TITAN AI is a startup. Our security posture is what you can verify today: HIPAA BAA available at signing, ISO 27001 alignment in place, SOC 2 Type II observation period begins at first paying customer. The detail behind each of those statements is below.
TITAN AI is in the Founding Customer phase. We are a startup, not a Fortune 500 vendor. Our compliance posture reflects that: the certifications and attestations below are either available today, in active progress, or roadmapped to a specific quarter. We will not list a certification we do not hold.
HIPAA BAA is available at contract signing for any Healthcare customer. Our BAA template covers the Security Rule technical safeguards (45 CFR 164.312), the breach-notification process, and the subcontractor BAA chain.
ISO 27001:2022 alignment is in place. The internal control set, the risk register, the statement of applicability, and the management-review cadence are all live. Formal certification is roadmapped to Q4 2026.
SOC 2 Type II observation period begins at first paying customer. Auditor selection complete (Big Four). The Type II report is targeted for Q1 2027 covering the prior six-month observation window.
FedRAMP Moderate alignment is implemented. Formal authorization is sponsor-gated; if you are a federal customer who can sponsor the ATO, contact us.
GDPR DPA is available on request for EU customers. Our DPA covers the Article 28 processor obligations, sub-processor list, and data-transfer mechanism (SCCs as primary, BCRs roadmapped).
TITAN AI runs against your cloud accounts using credentials you control. We do not copy your data into our infrastructure. The agent fleet runs in your account, the findings render to your storage, and the evidence files are emitted into your file system or your ticketing platform.
When the LLM reasoning path is invoked (cloud reasoning service or local Ollama), only the finding metadata is sent. Raw resource data, IAM payloads, and credential strings are redacted before any model call. The redaction list is published in our docs.
Customer license tokens are signed with Ed25519 and encrypted at rest with AES-256 GCM in the license database. Stripe customer IDs are stored without payment-instrument information; payment details remain inside Stripe.
All inter-agent communication uses TLS 1.3. The titanaisec.com origin holds an ECC P-256 certificate from Cloudflare with HSTS preload enabled.
Report a vulnerability to [email protected]. We acknowledge within one business day, ship a fix or compensating control within thirty days for high-severity issues, and coordinate disclosure with the reporter. We do not pursue legal action against good-faith researchers.
USPTO patent application 19/645,524 filed April 2026. We list the application number for traceability; we do not present it as a credential. Pending patent is a filing receipt, not a competitive moat. Our actual moat is the code, the data, and the customer evidence we accumulate over time.
Read-only scan. No credit card. Full evidence pack on every finding.