Trust center
Everything procurement and security review needs, in one page
One stop for your CISO, your DPO, your procurement team, and your internal audit function. Every link below points at a document or a live surface that's already published. We hold what we say we hold ; we don't claim certifications we don't have.
Security posture
Security overview →
Cryptographic choices, software supply chain, operational hygiene, vulnerability disclosure, certification status (honest about what we hold today vs roadmap).
Live status →
Real-time state of the marketing site, the independent verifier, the sample bundles, the source mirror, and the docs index. Operator-curated, deployed every change.
Threat model →
What we defend against, what we explicitly don't, and the adversary capabilities each cryptographic mechanism is designed to resist.
Known limitations →
Honest accounting of what is and isn't mitigated today. Buyers respect the honest gap-assessment ; we don't paper over.
Verifier integrity →
Published SHA-256 hashes of every asset on verify.carvetrace.com + recipe to rebuild from source and confirm parity.
Legal + contractual
Privacy Policy →
GDPR controller posture, zero-analytics commitment, complete sub-processor list, Schrems II Transfer Impact Assessment, retention schedule.
Terms of Service →
French law / Paris venue. Free Services vs commercial-subscription split. Liability caps. 60-day non-renewal notice. INSEE-indexed renewal CPI cap.
Data Processing Agreement →
SCCs Module 2 incorporated by reference. Annex I (description), Annex II (TOMs), Annex III (sub-processors). 48-hour breach notice. Audit clause. 30-day sub-processor change with right-to-object.
License matrix →
Per-module licensing : Apache 2.0 for the verifier + protocol + trust-roots, proprietary commercial for the SDK + CLI + UI. Includes LGPL handling for the OpenTimestamps dependency.
Certifications + framework alignment
We hold what we say we hold. Today, June 2026 :
| Framework | Status | Target | Auditor |
|---|---|---|---|
| GDPR alignment | In place | Continuous | — |
| ISO/IEC 27001 | Gap-assessed | Stage-1 Q4 2026 ; certificate Q1 2027 | EU body, selection in progress (CertX, BSI, TÜV Süd shortlisted) |
| SOC 2 Type I | Not started | Q2 2027 (US-buyer demand) | To be selected |
| ISO/IEC 42001 | Gap-assessed | Follows ISO 27001 | Same body as ISO 27001 (preferred) |
| EU AI Act (provider obligations) | Not applicable to Aryamind | — | — |
| DORA (CTPP designation) | Unlikely to apply | Self-hosting model | — |
Aryamind is itself not a provider of a high-risk AI system, so the AI Act's provider obligations don't apply to us — we are the evidence layer for our customers' high-risk AI systems. Self-hosted deployment means CarveTrace is rarely a Critical ICT Third-Party Provider under DORA's formal designation. The Enterprise tier still ships with a DORA-fit pack (risk profile, sub-processor list, exit-plan documentation).
Vendor questionnaires
We respond to CAIQ, SIG, and bespoke questionnaire formats within 5 business days. The fastest path is to email your questionnaire to security@aryamind.com ; we return it filled in. For repeat asks, common answers are pre-published :
- Where does customer data reside ? On the customer's infrastructure. CarveTrace is self-hosted across every tier. We never host customer data.
- Sub-processors : Cloudflare (static hosting), OVHcloud (business email), GitHub (open-source code mirror + commercial code privately hosted). Detail in the DPA Annex III.
- Encryption at rest : AES-256 on all Aryamind-side systems holding customer-correlated data ; customer-side is the customer's choice.
- Encryption in transit : TLS 1.2+ minimum, TLS 1.3 preferred, on every interface.
- MFA : Mandatory for all Aryamind personnel on all identity providers.
- Breach notification : 48 hours per the DPA — tighter than the GDPR's 72-h regulator floor.
- Pen-testing : Annual third-party penetration test on the verifier surface and the commercial software release. Remediation tracked publicly in the relevant repository's
SECURITY.md. - Right to audit : Granted under the DPA, see /legal/dpa Section 10. We satisfy the right via our most recent third-party assessment + written questionnaire by default ; on-site audits available with 30 days' notice.
Open-source posture
Three things are Apache 2.0 today : the verifier libraries (Java + Rust/WASM), the protocol definitions, and the trust-anchor metadata. The producer-side SDK + adapters + CLI + UI are commercial. The full matrix lives at LICENSING.md.
We chose this split deliberately : the verifier is the load-bearing piece for our buyer's "evidence survives the vendor" guarantee, and it has to be auditable and forkable. The producer-side is where our commercial value lives. Both can stand alone.
Disclosure + reporting
- Vulnerability disclosure : Send reports to security@aryamind.com. PGP key on request from the same address. We acknowledge within 2 business days, triage within 5, default 90-day disclosure timeline. Detail in the Security page.
- Data subject rights requests : Send to privacy@aryamind.com. We respond within one month per Art. 12(3) GDPR. Customer-side requests routed via the Customer per the DPA.
- Commercial inquiries : contact@carvetrace.com. Structured intake at /contact.
- Legal : legal@aryamind.com.
- Licensing inquiries : licensing@aryamind.com.
Need the trust center as a one-page PDF for a procurement file ? Hit Ctrl+P on this page and save as PDF. The stylesheet is print-friendly.
Talk to procurement →