Trust & Compliance

Built audit-grade. Closed-by-default.

The platform earns trust through architecture, not assertion. Closed data boundaries. Published policies. SOC 2 in flight. ISO 27001 planned. No anonymous public surfaces.

SOC 2 Type I in audit · Q4 2026 SOC 2 Type II · Q2 2027 ISO 27001 planned · 2027 26 published policies Closed-by-default

Closed-by-default architecture

The Oushvaa platform does not run a free public API, does not publish anonymous datasets to the open web, and does not expose entity records to unauthenticated traffic. Every endpoint requires an API key, a verified session, or institutional academic-program authentication. Premium intelligence stays premium. The data boundary is the same as the trust boundary.

This posture is deliberate. AI-era data products that publish openly are training-set fodder for downstream LLM ingestion — their data ends up answered through ChatGPT or Claude before customers visit. We've taken the opposite position: closed-by-default lets us license selectively (to AI labs under controlled commercial terms in Year 2-3), grant verified academic access (under attribution-required terms from 2027), and price for value (subscriptions reflect the exclusivity).

Compliance roadmap

BiologicsIQ leads the family compliance cycle. SOC 2 Type I observation begins Q4 2026 with a Type II report planned for Q2 2027. ISO 27001 certification follows in 2027 to support EU enterprise expansion. Subsequent products (DrugIQ, MedevIQ, Oushvaa Procure) inherit the policy library and audit firm relationship, reducing per-product compliance lift to roughly 50% of the first cycle.

  • SOC 2 Type I — Security, Availability, Confidentiality. Audit firm engaged. Observation begins Q4 2026.
  • SOC 2 Type II — Same trust services, twelve-month observation. Report Q2 2027.
  • ISO 27001 — Planned 2027, primarily for EU enterprise customer requirements.
  • GDPR & DPDPA — Data processing agreements available. Cross-border transfer mechanisms in place.
  • HIPAA — Not currently in scope. Platform handles no PHI. Aggregate regulator data only.

Twenty-six published policies

The policy library covers access control, asset management, change management, code review, encryption, identity and authentication, incident response, key management, secure development lifecycle, third-party risk, vulnerability management, and more. Each policy is versioned, owner-assigned, and reviewed annually. Customer security teams can request the full pack under NDA.

  • POL-001 to POL-026 — full policy set
  • RB-001 to RB-007 — operational runbooks (incident response, BCP/DR, key rotation, etc.)
  • LEG-001 MSA · LEG-002 DPA · LEG-003 Mutual NDA — legal templates
  • LEG-005 Sub-processor list — kept current, version-controlled
  • LEG-004 Pre-filled security questionnaire (SIG Lite / CAIQ format)

Sub-processors and data handling

The platform runs on a small, deliberately chosen set of sub-processors: Supabase (Postgres + auth), Vercel (workflow hosting), Cloudflare (CDN, R2 storage, DNS), Resend (transactional email), Anthropic (AI inference), Sentry (error monitoring). Each is documented in the sub-processor list with the purpose, data scope, and DPA status. Changes to the sub-processor list are versioned and notified to customers under signed contracts.

Verified Academic Program (opens 2027)

Researchers at recognized institutions will get free Pro-tier access starting 2027, under institutional email verification (.edu, .ac.in, .ac.uk, etc.). Attribution required in publications. The first wave will be invited from AIIMS, ICMR, KMC Manipal, AIMS Kochi, JIPMER for the Indian network, plus reciprocal partnerships in US, UK, EU. Access requires explicit application — not anonymous web scraping.

Reach the security team

Security questions, vulnerability reports, contract NDAs, sub-processor inquiries: security@oushvaa.com. We respond within 24 hours on business days. Critical vulnerability reports are acknowledged within 4 hours.