Developum AI Inc. operates the EVOLUM platform against the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. This page describes exactly what that means, what we can prove, and what a prospective auditor or enterprise buyer can request from us on any given day.
Honest framing. We are SOC-2 compliant — our controls, policies, and evidence align with the SOC-2 Type II framework. We do not hold a signed attestation report from a CPA firm at this time; that engagement is available when a customer or investor requires it. Our full auditor package — 8 policies, system evidence, and automated control scripts — is ready to share.
| Criterion | Posture |
|---|---|
| Security | Encryption in transit (TLS 1.2+) and at rest (Supabase-managed AES-256). Least-privilege access enforced via Supabase RLS. Workstation encryption and auto-lock enforced. |
| Availability | Hetzner primary infrastructure. Daily automated database backups. Documented DR/BCP with RTO/RPO targets. Uptime monitoring on customer-facing endpoints. |
| Confidentiality | Screenplay and personal data never leaves the platform for third-party AI processing. Deterministic engine runs locally. Zero customer content transmitted to external LLM APIs. |
| Processing Integrity | Deterministic Python + JSON pipeline. Same input → same output. Auditable transformation logs. |
| Privacy | Covered under our Privacy Policy and Data Processing Addendum. GDPR- and CCPA-aware data handling. |
Enterprise buyers, investors performing security diligence, and prospective auditors can request the full readiness package by writing to security@developumaiengine.com. We reply within two business days and share the package under mutual NDA.
The package includes: all 8 policy documents in full, system evidence exports, automation script source, our sub-processor list with security-review dates, and current risk register.
A formal SOC-2 Type II attestation engagement will be initiated when a customer, investor, or partner requires the signed report — or when we choose to pursue it proactively as we scale. When that happens, this page will be updated with the auditor, engagement dates, and eventually the signed report itself.
Until then: we are compliant, we are ready, and we can prove it on any given day.