Skip to content

Compliance

This page describes Venturi's compliance posture honestly: which controls are in-architecture today, and which formal attestations and programs are on a clearly-labeled forward roadmap. We never imply Venturi holds an attestation it does not yet hold.

How to read this page

The security architecture, tenant isolation, encryption, retention, erasure, and audit controls described elsewhere in this section are in-architecture and stated in the present tense. The formal compliance program below — SOC 2 attestation, the formal GDPR program, and EU AI Act registration — is a forward roadmap with explicit phase gates. The two are kept structurally distinct on this page.

SOC 2

SOC 2 status

SOC 2 Type I readiness/report is a target on our security roadmap, with Type II targeted within 12 months. It is not yet held.

Venturi never states or implies that it currently holds, or is certified for, SOC 2.

Item Roadmap position
SOC 2 Type I In progress, built on the audit-trail subsystem. (Type I attests control design at a point in time.)
SOC 2 Type II Targeted within 12 months of Type I; the Type II observation window starts immediately. (Type II attests operating effectiveness over a 3–12-month observation period.)
In-scope Trust Services Criteria Security (Common Criteria, mandatory), Availability, Confidentiality, and Processing Integrity. Processing Integrity is mandatory because the product produces the numbers customers bill on — it is the home of the confidence-cap, abstention, and chargeback-eligibility controls. Privacy is added when the first EU/regulated deal enters the pipeline.
Annual penetration test Tied to the SOC 2 program; critical findings are remediated before deployment.

The control foundation for the attestation is already in place: the immutable, append-only audit trail and the policy-event writer provide the tamper-evident control history that a SOC 2 examiner relies on. See the audit trail.

GDPR

Processor framing

Venturi acts as a data processor; your organization is the controller. Venturi processes personal data only on your documented instructions and commits the GDPR Article 28 processor obligations, including the Art. 28(3) DPA terms and the Art. 28(2) subprocessor change-notification and objection workflow. See Data-subject rights for how requests are fulfilled.

In-architecture today

  • Data minimization — content inspection is disabled by default, so Venturi processes invocation metadata, not prompt or completion content (GDPR Art. 5(1)(c)). See Data privacy & retention.
  • Cohort-only adoption intelligence (minimum cohort of 5, sub-cohort suppression, anti-differencing, individual-level off by default and hard-disabled in the EU) — the privacy core of the product.
  • Crypto-shred erasure within a 30-day SLA, with a deletion certificate, reconciled with the append-only architecture.
  • Pseudonymized audit trail retained under a named legal-claims / legitimate-interest basis.

GDPR data residency

Per-tenant data lives entirely in your VPC; the control plane and the cross-tenant Aggregation VPC are region-pinned from day one; EU-origin data is processed in-region or under Chapter V safeguards (SCCs). Venturi's stance is single region plus SCCs. See Residency & subprocessors.

Forward GDPR program

Item Roadmap position
Formal DPA (Art. 28(3) terms; SCCs where Chapter V applies) Enterprise-readiness workstream
Record of Processing Activities (RoPA, Art. 30) Maintained for in-VPC metadata processing and cross-tenant aggregation
DPIA template (Art. 35) Ships with the product; likely mandatory for employee-data processing
Lawful-basis mapping (per processing activity) Documented
inference_geo customer-facing residency-control surface Roadmap, atop the region-aware fields and per-jurisdiction filters

CCPA

For consumers and businesses subject to CCPA/CPRA, Venturi operates as a service provider: it processes personal information only to provide the attribution service on your instruction, does not sell or share personal information, and processes only the metadata required for attribution. Access, deletion, and portability requests are fulfilled through the same mechanisms described in Data-subject rights — including the crypto-shred deletion path. The same data-minimization posture (no content capture, cohort-only adoption intelligence) limits the personal-information footprint by design.

EU AI Act

The EU AI Act has two faces for Venturi: Venturi's own provider self-classification, and EU-AI-Act compliance automation as a future product capability.

Self-classification — non-high-risk

Venturi documents a non-high-risk posture for its adoption-intelligence / attribution system. Venturi never asserts "low risk" generically. The posture rests on the EU AI Act Art. 6(3) conditions:

  • Primary condition — Art. 6(3)(c): the system performs a narrow procedural task (detecting decision-making patterns or deviations from prior patterns) without replacing or influencing a human assessment — it surfaces aggregate, cohort-level signals for human review.
  • Fallback condition — Art. 6(3)(d): the system performs a preparatory task to an assessment.
  • Registration regardless. Even under a documented non-high-risk determination, Venturi registers in the EU database under Art. 49(2).

Cohort-only design is the precondition

Art. 6(3) is unavailable to any system that performs profiling of natural persons. Cohort-only adoption intelligence (minimum cohort of 5, individual-level off) is therefore the precondition that keeps Venturi out of profiling. Venturi additionally performs no emotion recognition or behavioral-state inference about individual workers (prohibited in the workplace under Art. 5(1)(f)) — a documented non-doing enforced as a frozen invariant.

The provider-versus-deployer roles and the Art. 13 / Art. 50(3) transparency duty to monitored employees are documented, and a works-council pack ships with the product. The choice among the Art. 6(3) conditions is subject to EU-counsel sign-off before external release.

Precautionary post-market controls

Even under the non-high-risk posture, Venturi adopts the EU AI Act post-market and serious-incident workflows as precautionary controls:

  • A post-market monitoring plan (Art. 72) that reuses the platform's live calibration and drift monitors, the false-high-confidence and calibration-error gates, and the anomaly-detection system.
  • An AI incident runbook covering AI-specific failure modes — mass mis-attribution, a calibration/drift breach (which triggers automatic fallback to the heuristic baseline), confidence inflation, and evidence poisoning — with detection, rollback, customer-notification, and post-incident-review steps.
  • The Art. 73 serious-incident reporting workflow, recorded in the RoPA, so the channel exists if a classification ever changes.

Compliance automation (product capability)

EU-AI-Act compliance automation for your organization — an audit trail and frameworks mapped to attributed AI usage — is a roadmap product capability. The attribution graph is the natural substrate for "which AI system, used by whom, for what." The audit trail ships today; automated compliance reporting is a later roadmap phase.

Control framework crosswalk

Venturi maintains a crosswalk mapping its in-architecture controls to the principal governance frameworks — NIST AI RMF, NIST SP 800-53 / CSF, ISO/IEC 27001 and 42001, and CISA Secure by Design. ISO 27001 (Information Security Management System) and ISO 42001 (AI Management System) certification are roadmap items; the mapping is provided now to accelerate diligence. The full crosswalk is on the Trust center.

Incident response & breach notification

A documented incident-response plan defines a Sev-1/2/3 severity taxonomy, escalation tiers, a blameless-postmortem requirement, and MTTA/MTTR targets. As processor, Venturi's breach-notification commitment supports your GDPR Art. 33 obligation: Venturi notifies you without undue delay (target ≤24 hours of becoming aware) so you can meet your 72-hour supervisory-authority deadline. Operationally, Venturi runs a public status page and commits, for any S1/S2 customer-impacting incident, to an initial acknowledgement, periodic updates, and a written Reason-for-Outage within 5 business days. The operational availability path and the Art. 33 breach path run in parallel where both apply.