Evidence, not assurances. Signed, timestamped, under NDA.
The artifact pack your security and legal teams need — SOC 2 Type I and II, penetration-test summary, DPA, SIG-CORE, data-flow diagram, subprocessor list. Delivered under mutual NDA on Day 01 of review.
The paperwork your security review already asks for.
Nine documents, delivered as a single pack under mutual NDA. Day 01 of review. Updated quarterly; version-pinned to the release you're evaluating.
Three are public — DPA template, subprocessor list, and vulnerability disclosure policy. The other six route through the security review form and an MNDA template we send back within hours.
| # | Artifact | Version / period | Access | Delivered |
|---|---|---|---|---|
| 01 | SOC 2 Type II report trust services criteria · security, availability, confidentiality | FY2026 · annual | MNDA | within 1 biz day |
| 02 | SOC 2 Type I report point-in-time · historical | 2025 | MNDA | within 1 biz day |
| 03 | Third-party pen-test summary full scope + remediation | v2026.q1 | MNDA | within 1 biz day |
| 04 | Pen-test CVSS remediation log rolling · per-release · SLA-bound | rolling | MNDA | within 3 biz days |
| 05 | Data-processing addendum (DPA) controller → processor · no subprocessors | template | public | PDF · preview |
| 06 | SIG-CORE questionnaire completed · shared assessments framework | 2026 · q2 | MNDA | within 3 biz days |
| 07 | Data-flow diagram per-deployment · signed | v2026.4 | MNDA | within 1 biz day |
| 08 | Subprocessor list 0 external subprocessors · infra providers listed | 2026 · q2 | public | PDF · preview |
| 09 | Vulnerability disclosure policy scope · safe-harbor · contact | public | public | PDF · preview |
Six operational facts. One contract.
The question legal asks on call one is never "are you SOC 2." It is "what is the contractual treatment of our data." These six answers map one-to-one to DPA clauses.
Every row is operational — observable in the deployment, enforceable in the contract, falsifiable in audit.
No candidate data leaves your VPC.
ATS / HRIS read-through only; no replication to Nodes-side storage; no vendor-owned copy of PII, résumés, or interview audio.
You set the clock.
Customer-configurable retention. Default is 7 years to match decision-trace reproducibility. Hard-delete workflow signed and logged on request.
No training on your data without written consent.
Model retrains are per-customer, in-VPC, on customer-consented data only. No cross-tenant pooling. No shared foundation updates from your corpus.
Revoke keys. Inference stops.
Customer-held KMS — AWS KMS, Azure Key Vault, GCP KMS, HashiCorp Vault. Revocation is a contract-bound kill-switch, not a support ticket.
SSO / SCIM-gated. Tied to your HRIS.
Okta, Azure AD, Ping, Google Workspace. Group-mapped RBAC. SCIM deprovisioning removes admin access within one hour of an HRIS termination event.
Every event hashed. Streamed to your SIEM.
Scoring, admin, and retrain events are hashed and streamed to a customer-owned sink — Splunk, Datadog, or equivalent. Signed decision traces reproducible seven years out.
It runs in your VPC. That's the control.
Controls are implemented in the deployment, not bolted on in policy. For the full boundary manifest, model supply chain, and deployment targets — see Architecture.
Read architectureCertified on SOC 2. Operationally aligned to everything else.
One held certification, many operating postures. Every row below states Nodes' actual relationship to that framework — not the customer's. Your own program covers the deployment; we provide the controls and artifacts it depends on.
We do not claim HIPAA, FedRAMP, ISO 27001, HITRUST, NERC CIP, ITAR, CMMC, IL4, IL5, or StateRAMP as Nodes-held. We do not list any as "in progress." This matrix is the whole story.
| Framework | Nodes relationship | What that means in practice |
|---|---|---|
| SOC 2 Type II | Certified · annual | Third-party audit report covering security, availability, and confidentiality. Renewed annually. Available under MNDA. |
| SOC 2 Type I | Certified · historical | Initial point-in-time attestation, superseded operationally by Type II. Available under MNDA. |
| Third-party penetration testing | Assessed · per-release + annual | Contracted tests on every major release plus annual scope. CVSS-tiered remediation SLAs, contractually committed. |
| GDPR · CCPA | Operationally aligned | Controller / processor DPA templates with no external subprocessors. DSARs land in customer HRIS, not ours. |
| HIPAA | Operationally aligned · customer-certifiable | Technical controls match Security Rule. Customer's own HIPAA program covers the deployment; we do not hold or claim HIPAA certification. |
| NYDFS Part 500 · NAIC MDL-671 | Operationally aligned · insurance | Controls map to NYDFS / NAIC; carrier's own program covers use. Live in insurance deployments today. |
| ISO 27001 · ISO 27701 | Not held | SOC 2 is the attestation we maintain. ISO available on customer request via a third-party bridge audit, not a Nodes-side certification. |
| ITAR · EAR · CMMC Level 2 | Not in scope | Requires air-gapped deployment and cleared-personnel program. Available on engagement, not certified by Nodes. |
| FedRAMP · StateRAMP · FISMA | Not in scope | No current FedRAMP authorization. Not claimed as "in progress." Federal engagements run under customer ATO, not Nodes-held. |
| NERC CIP v7 · TSA SD | Not in scope | Energy-sector deployments run under the customer's own CIP program. Nodes provides boundary controls; certification sits with the customer. |
| HITRUST · HITECH | Not held | Not maintained as Nodes-side certifications. Technical controls are HIPAA-aligned; customer's HITRUST program covers the deployment. |
A process you can read. A record you can audit.
A security program without a public incident posture is not a security program. Left: what happens when something triggers. Right: what actually has.
- Detect 24/7 on-call · SIEM-triggered continuous
- Triage P0 / P1 categorization · incident commander assigned 1h P0 · 4h P1
- Notify customer named security contacts · contract-bound < 12h typical
- Public disclosure VDP process · CVE filing if applicable per-CVSS SLA
Five questions your procurement team will ask.
Architecture carries the long-form engineering questions. These five are the ones that come up in the first call with a security reviewer. Short answers — because these are short questions.
"Can I see the SOC 2 Type II report before we sign?"
Yes — under mutual NDA, delivered within one business day of a signed MNDA. The Type I report, pen-test summary, and data-flow diagram ship in the same pack.
"Do you hold HIPAA, FedRAMP, or ISO 27001?"
SOC 2 Type I and II only. HIPAA alignment is operational — your own HIPAA program covers the deployment. No FedRAMP authorization, and we do not list it as "in progress." ISO is available as a bridge audit on request.
"Who are your subprocessors?"
Zero external subprocessors for inference, data handling, or model serving. Infrastructure providers (AWS / Azure / GCP / on-prem) are not data subprocessors in our deployment — the boundary is inside your tenant. Full list on the public subprocessor page.
"What's your breach disclosure SLA?"
Contract-bound notification to named customer security contacts, typically under 12 hours from triage. Public disclosure follows our vulnerability disclosure policy and CVSS severity.
"Who do I email for a security review?"
support@nodes.inc, or use the form below. Typical turnaround from inbound to artifact pack: one business day. MNDA template sent within hours of first contact.
One call with our security engineer. Then the artifact pack.
60 minutes. Not a sales call. MNDA template sent before; artifact pack delivered after. Typical turnaround, start to pack in hand: one business day.