aisecurity.llc / Trust Center
Trust Center for AI Security Work
How we handle client evidence, AI usage, contracts, subprocessors, and public claims.
Human-reviewed, scoped, and evidence-controlled engagements. Assessment artifacts can be redacted, retained, or packaged for buyer review according to the SOW and evidence-handling rules.
Procurement Fast Path
Get to yes without waiting on every process sequentially
Start no-cost, move legal and procurement in parallel, and convert to a fixed-fee SOW only after approval. Contract documents auto-populate from your scope intake.
NDA-first scoping
Mutual NDA before anything is shared. Confidentiality and evaluation purpose only.
No-cost scoping retainer
$0 fees, no obligation, access boundaries, and a draft review plan. Not free consulting.
Fixed-fee launch SOW
First findings in 5 business days; launch-ready in 5–10. Auto-filled from your intake.
Evidence handling & claims
Redaction defaults, retention, and claim-readiness review for public-safe evidence.
Trust Snapshot
What exists, what does not, and what it means.
NDA
AvailableMutual NDA for discovery and delivery.
DPA
AvailableFor enterprise and client scopes where customer or personal data is in scope.
SOW Template
AvailableUsed to define systems, artifacts, deliverables, dates, access, and acceptance criteria.
Assessment Terms
AvailableScope, authorization, evidence use, testing limits, retesting, and reliance limits.
AI Red Team Rules of Engagement
AvailableRequired for adversarial testing and abuse-path work.
Evidence Handling Policy
AvailableCollection, redaction, storage, retention, deletion, and publication boundaries.
Data Retention & Redaction Policy
AvailablePost-engagement cleanup, deletion requests, and legal-hold boundaries.
AI model training on customer data
Not authorizedCustomer content is not authorized for provider model training.
Human review for client deliverables
RequiredDeliverables, public claims, scorecards, and attestations require qualified human review.
Vulnerability disclosure
AvailableReports acknowledged within 48 hours.
Paid bug bounty
Not currentlyRecognition only at this stage.
Formal SOC 2 / ISO certification
Not currently heldControls are documented honestly; no overclaiming certification status.
Subprocessors
ListedInfrastructure, storage, analytics, communications, and AI providers are disclosed.
Security Review Attestation
Available after scoped engagementPublic-safe summary, not a formal audit, certification, warranty, or exhaustive assurance.
Enterprise Review
The review questions this Trust Center answers.
The point is not to publish a wall of policy text. It is to show how scoped, evidence-backed, human-reviewed AI security work can be shared with your product, legal, procurement, and sales teams.
Client Evidence Handling
Architecture diagrams, prompts, traces, screenshots, request/response samples, tool-call logs, test notes, remediation artifacts, questionnaire drafts, and evidence packs are handled as scoped engagement evidence.
AI Usage in Client Work
AI may assist analysis, drafting, summarization, code review, test generation, retrieval, and platform workflows. It does not replace human judgment, legal conclusions, certification decisions, vulnerability status decisions, or security sign-off.
Security Practices
Encryption, MFA, least-privilege access, dependency scanning, incident response, vendor review, secure SDLC, and AI-specific checks are documented with honest disclosure on certifications held versus not currently held.
Legal & Procurement Docs
NDA, SOW, DPA, commercial addendum, assessment terms, red-team ROE, evidence handling, retention, and publication policies are organized for procurement and legal review.
Claim-Readiness & Public Evidence
We help teams distinguish what can be said publicly, what requires caveats, what should stay internal, and what must not be claimed. This is core to buyer-facing AI security evidence.
Vulnerability Disclosure
Report client portal authorization bypass, evidence pack exposure, assessment workflow IDOR, AIPSA badge or attestation forgery, prompt/evidence leakage, and unauthorized artifact access.
Subprocessors
Infrastructure, analytics, email, storage, authentication, and AI model providers are listed with their purpose, data categories, and AI training boundaries.
Research & Sponsorship Independence
Sponsors do not influence methodology, scoring, findings, chart outputs, citation selection, or editorial conclusions. Sponsor access does not include raw private datasets.
Evidence Intake
What you can safely share with us.
Sensitive AI/product-security work often needs diagrams, prompts, traces, logs, screenshots, tickets, and findings. The safest path is to scope first, use NDA/SOW/DPA when needed, and avoid sending secrets or regulated data through public channels.
Usually OK after scoping/NDA
- architecture diagrams
- AI workflow descriptions
- redacted prompts
- sample traces
- sanitized screenshots
- security questionnaires
- control evidence
- policy excerpts
- test plans
- ticket or backlog examples
Restricted — do not send through public forms
- production secrets
- raw customer PII
- credentials or tokens
- full production logs
- regulated data
- private customer communications
- unredacted employee or customer records
Share restricted material only if explicitly required, authorized, and covered by the applicable SOW, DPA, ROE, and secure-channel instructions.
Never send through public forms
- passwords
- API keys
- access tokens
- government IDs
- payment card data
- patient or health data
- raw secrets
- third-party exploit payloads outside your ownership
Trust Evidence Flow
How sensitive evidence moves through our work.
We keep four lanes separate: client evidence, AI processing, delivery outputs, and public claims. That separation makes the work usable for security review without turning private findings into unsafe marketing language.
Client Evidence
Diagrams, logs, prompts, screenshots, traces, tickets, findings, and questionnaire drafts.
AI Processing
Minimization, redaction, approved tools, provider review, and human review.
Delivery Outputs
Findings, evidence packs, attestations, answer banks, scorecards, and remediation plans.
Public Claims
Claim labels, caveats, sponsor separation, publication review, and client approval where required.
Procurement Paths
Start from the engagement, not the document list.
AI Launch Security Review
- 1No-Cost Scoping Retainer
- 2Mutual NDA
- 3Technical Access Checklist
- 4AI Launch Review SOW
- 5Assessment Terms Addendum
- 6Evidence Handling Policy
- 7DPA if customer/personal data is in scope
- 8ROE only if active adversarial testing is included
RAG / Knowledge System Review
- 1No-Cost Scoping Retainer
- 2Mutual NDA
- 3RAG/Knowledge System SOW
- 4Assessment Terms Addendum
- 5Evidence Handling Policy
- 6DPA if customer/personal data is in scope
Connector Security Review
- 1No-Cost Scoping Retainer
- 2Mutual NDA
- 3Connector Review SOW
- 4Assessment Terms Addendum
- 5Evidence Handling Policy
SSO / SCIM Enterprise Onboarding
- 1Mutual NDA
- 2Enterprise Onboarding SOW
- 3DPA
- 4Evidence Handling Policy
- 5Data Retention & Redaction Policy
AI Product Security Assessment
- 1Mutual NDA
- 2Scoped Services Framework
- 3SOW Template
- 4Assessment Terms Addendum
- 5DPA if customer/personal data is in scope
- 6Evidence Handling Policy
AI Red Team & Adversarial Testing
- 1Mutual NDA
- 2SOW Template
- 3AI Red Team Rules of Engagement
- 4Assessment Terms Addendum
- 5Evidence Handling Policy
- 6Security Review Attestation after completion
Agentic Workflow Security & Hardening
- 1Mutual NDA
- 2SOW Template
- 3Assessment Terms
- 4Evidence Handling Policy
- 5Data Retention & Redaction Policy
AI Security Sales Enablement
- 1Mutual NDA
- 2SOW Template
- 3Evidence Handling Policy
- 4Publication & Claim-Readiness Policy
- 5Security Review Attestation / Evidence Pack
AI Governance & Security Program Build
- 1Mutual NDA
- 2Scoped Services Framework
- 3DPA if needed
- 4Commercial Services Addendum
- 5Evidence Handling Policy
- 6Publication & Claim-Readiness Policy
Claim-Readiness Discipline
Claims that stay inside the evidence.
Claim-readiness gives sales, legal, security, and product teams a shared language for deciding what can be reused externally after an engagement. Attestations, scorecards, badges, answer banks, and evidence packs are scoped to reviewed artifacts; they are not formal audit certifications or security warranties.
Public-ready
Supported by scoped evidence, caveats, and review.
Public with caveat
Usable externally only with scope limits and careful wording.
Internal only
Useful for delivery, strategy, or remediation but not external reuse.
Do not claim
Too speculative, too sensitive, or not sufficiently evidenced.
Research & Sponsorship Independence
Research independence remains intact, but it is not the first buyer question.
For public research, job-description intelligence and aggregate benchmarks remain governed by sponsor separation, public-safety rules, and caveats. Sponsors can support distribution or production; they do not control methodology, scoring, findings, chart outputs, citation selection, or editorial conclusions.
- Sponsored materials are labeled.
- Sponsor access does not include raw private datasets.
- Aggregate research is not proof of an individual company's security maturity.
- Psychometric scores reflect role-language signals, not personality diagnoses.
- GitHub references are ecosystem signals, not endorsements.
Strategic Diligence Materials
Strategic diligence materials are separate from the customer Trust Center. They are provided only when relevant to partner, investor, acquisition, or strategic review discussions and do not change the customer evidence-handling, procurement, or assessment terms.
Next Step
Start with no-cost scoping so scope, authorization, and evidence handling are defined before paid work begins.
Start with no-cost scoping so scope, authorization, evidence handling, AI processing, legal/procurement path, and public-claim boundaries are defined before paid work or testing begins.