Security you can verify
Your SQL queries, codebase architecture, and orchestration workflows are proprietary intellectual property. Here is exactly what we do to protect your datasets โ no hand-waving, just strict compliance controls.
Our security principles
Four core pillars driving every infrastructure choice we compile.
Your data stays yours
We process source code segments solely to translate them. We never retain payloads beyond 90 days. Your intellectual property is never sold, shared, or ingested to train public language models.
Defense in depth
We wrap all services in TLS 1.3 transit buffers. Rest assets map to AES-256 cloud secrets. Workspace accounts default to 30-minute idle invalidation gates to block open tabs.
Least privilege access
Application tasks compile under narrow IAM profiles. Developer roles do not grant production payload access. Admin changes require multi-approval tokens with real-time audit triggers.
Transparency first
We publish incident updates within 15 minutes of trigger detection. No marketing abstractions. Our live health statistics are always auditable from the public status tracker.
Controls & Security Parameters
Every security filter currently operating on production environments.
| Security Control | Status | Technical Implementation Details |
|---|---|---|
| Data Encryption at Rest | LIVE | AES-256 keys handled via GCP KMS. Customer Managed Keys (CMEK) can be requested on Enterprise. |
| Data Encryption in Transit | LIVE | TLS 1.3 enforced on all host ports. HSTS preloaded headers prevent protocol downgrade hijacks. |
| Role-Based Access Control | LIVE | Granular permissions (Owner, Editor, Viewer) audited in application middleware. |
| Audit Logging Schema | LIVE | Every mutation logs payload hash, user email, client IP, and agent schema. Auditable via CSV. |
| SAML 2.0 Identity SSO | LIVE | Tenant configuration mappings for Okta, Entra ID, Ping Identity, and ADFS. |
| API Key Revocation | LIVE | Hashed keys (SHA-256) rotatable directly from user profile dashboards. |
| Session Idle Invalidation | LIVE | Secure cookies auto-invalidate after 30 minutes of inactive load. |
| Data Residency Choices | ROADMAP | Central hosting inside us-central1. Region-pinning for EU targets available on Enterprise requests. |
| SOC 2 Type II audit | ROADMAP | Attestation procedures mapped. Audits target completion in early 2027. |
| Private-VPC Deployments | ON REQUEST | Dockerized execution pods run air-gapped on your private Google Cloud clusters. |
Sub-processors
We process payloads under strict Data Processing Agreements (DPAs).
| Provider | Process Scope | Asset Types Handled |
|---|---|---|
| Google Cloud Platform | Core Application Hosting & storage | All customer database records, tokens & transient payloads |
| Anthropic (Claude API) | Ephemeral parsing & dialect translations | SQL queries & ETL maps (ephemeral cache, no retention) |
| OpenAI API | Fallback syntax conversions | Source SQL script strings (subject to API DPA privacy standards) |
| Stripe / Razorpay | Payment transaction portals | Account details, billing address, and transaction hashes |
Security & Audit Roadmap
Transparent goals for third-party auditing and security milestones.
SCIM Provisioning
Sync identity directories (Entra, Okta) for real-time deprovisioning.
External Penetration Test
Summary audit findings released to security procurement channels.
ISO 27001 assessment
Completing pre-certification gaps analysis against standard rules.
SOC 2 Type II audit
Formal Type II attestation document available under NDA.
Incident Response & Breach Notification
Our processes and commitments when resolving critical security issues.
Public status page
Real-time component health is publicly visible at gojarvisx.ai/status. Critical incidents are posted within 15 minutes of detection.
Breach notification
If a security incident affects your data, you will be notified within 72 hours as required by GDPR Art. 33 via direct email to the account owner.
Post-incident reviews
Every Sev-1 incident receives a detailed post-mortem within 7 days. These are published openly on our status page with root cause and remediation items.
Terms & Privacy Policy
Review our terms in plain English. Plain limits, clear deliverables, no hidden subscription clauses.
Read Terms of ServiceData Processing Agreement
GDPR Article 28 compliant standard DPA templates are ready to sign for Enterprise tenants.
Request DPA DraftDetailed Security Review
Completing a diligence questionnaire? Our CSA CAIQ questionnaire covers 90% of procurement checks.
Review CSA Mappings