Where we stand today (plainly)
We would rather be precise than aspirational. As of this writing, Exolvra is not yet certified under SOC 2, ISO 27001, ISO 42001, or HIPAA. What we have instead:
- A product engineered to support your SOC 2, ISO 27001, HIPAA, and ISO 42001 obligations inside your own environment (mapped below).
- A control set mapped to the Cloud Security Alliance Cloud Controls Matrix, available as a CAIQ self-assessment and as our answer bank for your security questionnaire.
- A founder who built and ran a SOC 2 and ISO 27001 program as CTO of an enterprise SaaS platform used by Comcast, McKesson, the NHS, and Liberty Mutual. This architecture is the descendant of that work.
We will pursue formal certification when an enterprise engagement calls for it, scoped honestly to our model.
What the product provides
Encryption at rest & in transit
SQLCipher full-database encryption plus an AES-256-GCM field layer, layered key management (KMS hook, OS keychain, env, or machine-bound keyfile), and TLS in transit.
Secrets stay out of prompts
A named-secrets vault substitutes values at the wire. A {{secret:NAME}} reference never enters a prompt, a log, or the model context.
Tamper-evident audit
A hash-chained audit log of tool calls and state changes, written in the same transaction as the action, so the trail cannot silently diverge from what happened. Exportable to your SIEM.
Least privilege for agents
A capability resolver, per-agent permissions and integration allowlists, RBAC, and a Cloud Mode that locks agents to network and memory only for multi-tenant use.
Human approvals & governance
Approval workflows, spend budgets, rate tracking, and enforced output review: fourteen guardrails re-drive weak work until it passes.
Secure SDLC & supply chain
4,400+ tests, reviewed builds, signed desktop binaries, pinned dependencies, and a deliberate refusal of repository-supplied shell hooks to block code execution from a repo.
Framework alignment
This is alignment, not certification. It shows which Exolvra controls support each framework in your environment.
Encryption, audit, RBAC, approvals, logging, and secure SDLC. The operating-environment controls are yours; we provide the product controls.
The same controls mapped to access control, cryptography, operations, supplier, and logging domains.
Encryption, access, audit, and integrity controls. Self-hosted means we do not receive PHI, so a BAA may not be required.
Enforced review, human approval gates, the agent-action audit trail, and least-privilege agents are exactly the AI-governance controls this standard asks for.
Marketing-site controls at /privacy. In the product, you are the controller and the data stays with you.
Our controls mapped to the Cloud Controls Matrix (CAIQ). Available as our questionnaire answer bank.
Shared responsibility
Because Exolvra runs on your infrastructure, the responsibility split differs from a normal SaaS:
| Area | Owner |
|---|---|
| The software: security architecture, encryption, audit, access-control primitives, secure SDLC | EvolvLabs |
| EvolvLabs corporate systems: source code, build and release pipeline, this website | EvolvLabs |
| Physical / datacenter / host OS / network | You |
| Availability, backups, disaster recovery of the deployment | You |
| Identity provider, network access to the app, key custody, your data | You |
Need our security package?
We are glad to share our full control mapping (Cloud Controls Matrix / CAIQ), answer your security questionnaire (CAIQ, SIG, or your own), provide an SBOM, or walk your security team through the architecture. Tell us what your review needs.
[email protected]This page is a summary of our posture, not legal or audit advice. Certification scope is confirmed with a qualified auditor when we pursue it.