Loading
One moment.
One moment.
The artifact pack your security and legal teams need, SOC 2 Type I and II, penetration-test summary, DPA, SIG-CORE, data-flow diagram, subprocessor list. Delivered under mutual NDA on Day 01 of review.
Nine documents, delivered as a single pack under mutual NDA. Day 01 of review. Updated quarterly; version-pinned to the release you're evaluating.
Three are public, DPA template, subprocessor list, and vulnerability disclosure policy. The other six route through the security review form and an MNDA template we send back within hours.
| # | Artifact | Version / period | Access | Delivered |
|---|---|---|---|---|
| 01 | SOC 2 Type II report trust services criteria · security, availability, confidentiality | FY2026 · annual | MNDA | within 1 biz day |
| 02 | SOC 2 Type I report point-in-time · historical | 2025 | MNDA | within 1 biz day |
| 03 | Third-party pen-test summary full scope + remediation | v2026.q1 | MNDA | within 1 biz day |
| 04 | Pen-test CVSS remediation log rolling · per-release · SLA-bound | rolling | MNDA | within 3 biz days |
| 05 | Data-processing addendum (DPA) controller → processor · no subprocessors | template | public | view |
| 06 | SIG-CORE questionnaire completed · shared assessments framework | 2026 · q2 | MNDA | within 3 biz days |
| 07 | Data-flow diagram per-deployment · signed | v2026.4 | MNDA | within 1 biz day |
| 08 | Subprocessor list 0 external subprocessors · infra providers listed | 2026 · q2 | public | view |
| 09 | Vulnerability disclosure policy scope · safe-harbor · contact | public | public | view |
The question legal asks on call one is never "are you SOC 2." It is "what is the contractual treatment of our data." These six answers map one-to-one to DPA clauses.
Every row is operational, observable in the deployment, enforceable in the contract, falsifiable in audit.
ATS / HRIS read-through only; no replication to Nodes-side storage; no vendor-owned copy of PII, résumés, or interview audio.
Customer-configurable retention. Default is 7 years to match decision-trace reproducibility. Hard-delete workflow signed and logged on request.
Model retrains are per-customer, in-VPC, on customer-consented data only. No cross-tenant pooling. No shared foundation updates from your corpus.
Customer-held KMS, AWS KMS, Azure Key Vault, GCP KMS, HashiCorp Vault. Revocation is a contract-bound kill-switch, not a support ticket.
Okta, Azure AD, Ping, Google Workspace. Group-mapped RBAC. SCIM deprovisioning removes admin access within one hour of an HRIS termination event.
Scoring, admin, and retrain events are hashed and streamed to a customer-owned sink, Splunk, Datadog, or equivalent. Signed decision traces reproducible seven years out.
Controls are implemented in the deployment, not bolted on in policy. For the full boundary manifest, model supply chain, and deployment targets, see Architecture.
Read architectureOne held certification, many operating postures. Every row below states Nodes' actual relationship to that framework, not the customer's. Your own program covers the deployment; we provide the controls and artifacts it depends on.
We do not claim FedRAMP, ISO 27001, HITRUST, NERC CIP, ITAR, CMMC, IL4, IL5, or StateRAMP as Nodes-held. We do not list any as "in progress." This matrix is the whole story.
| Framework | Nodes relationship | What that means in practice |
|---|---|---|
| SOC 2 Type II | Certified · annual | Third-party audit report covering security, availability, and confidentiality. Renewed annually. Available under MNDA. |
| SOC 2 Type I | Certified · historical | Initial point-in-time attestation, superseded operationally by Type II. Available under MNDA. |
| Third-party penetration testing | Assessed · per-release + annual | Contracted tests on every major release plus annual scope. CVSS-tiered remediation SLAs, contractually committed. |
| GDPR · CCPA | Operationally aligned | Controller / processor DPA templates with no external subprocessors. DSARs land in customer HRIS, not ours. |
| HIPAA | Operationally aligned · customer-certifiable | Technical controls match Security Rule. Customer's own program covers the deployment; we do not hold or claim certification. |
| NYDFS Part 500 · NAIC MDL-671 | Operationally aligned · insurance | Controls map to NYDFS / NAIC; carrier's own program covers use. Live in insurance deployments today. |
| ISO 27001 · ISO 27701 | Not held | SOC 2 is the attestation we maintain. ISO available on customer request via a third-party bridge audit, not a Nodes-side certification. |
| ITAR · EAR · CMMC Level 2 | Not in scope | Requires air-gapped deployment and cleared-personnel program. Available on engagement, not certified by Nodes. |
| FedRAMP · StateRAMP · FISMA | Not in scope | No current FedRAMP authorization. Not claimed as "in progress." Federal engagements run under customer ATO, not Nodes-held. |
| NERC CIP v7 · TSA SD | Not in scope | Energy-sector deployments run under the customer's own CIP program. Nodes provides boundary controls; certification sits with the customer. |
| HITRUST · HITECH | Not held | Not maintained as Nodes-side certifications. Technical controls are HITRUST-aligned; customer's HITRUST program covers the deployment. |
A security program without a public incident posture is not a security program. Left: what happens when something triggers. Right: what actually has.
Architecture carries the long-form engineering questions. These five are the ones that come up in the first call with a security reviewer. Short answers, because these are short questions.
Yes, under mutual NDA, delivered within one business day of a signed MNDA. The Type I report, pen-test summary, and data-flow diagram ship in the same pack.
SOC 2 Type I and II only. alignment is operational, your own program covers the deployment. No FedRAMP authorization, and we do not list it as "in progress." ISO is available as a bridge audit on request.
Zero external subprocessors for inference, data handling, or model serving. Infrastructure providers (AWS / Azure / GCP / on-prem) are not data subprocessors in our deployment, the boundary is inside your tenant. Full list on the public subprocessor page.
Contract-bound notification to named customer security contacts, typically under 12 hours from triage. Public disclosure follows our vulnerability disclosure policy and CVSS severity.
Use the security request form. Typical turnaround from inbound to artifact pack: one business day. MNDA template sent within hours of first contact.
60 minutes. Not a sales call. MNDA template sent before; artifact pack delivered after. Typical turnaround, start to pack in hand: one business day.