Trust & Compliance

Compliance

How UmamiMind aligns security, privacy, and AI governance controls with enterprise and public-sector expectations—without overstating certification status.

Trust Center Crosswalk Trust Signals

Compliance posture

UmamiMind is built for auditability: every agent run is attributable, governed, and exportable. We describe control intent and evidence paths; we do not claim external certification unless specifically contracted and independently verified.

Shared responsibility: customer configuration and data classification drive final compliance outcomes.
Risk-based: higher risk actions and data flows receive stronger oversight and tighter constraints.
Evidence-first: policies, procedures, and run telemetry are structured for review and export.

Control domains

Identity & access

RBAC, least privilege, admin action audit trails, and tenant isolation.

Data protection

Encryption in transit, configurable retention, and scoped access to customer content.

Secure SDLC

Versioned changes, reviews, and traceability between controls and shipped artifacts.

Observability

Run-level telemetry, cost/budget signals, and policy decision logs.

Incident response

Severity definitions, containment steps, and customer notification workflows.

Vendor risk

Third-party review process, subprocessor transparency, and contract-based controls.

Framework alignment (mapping, not certification)

ISO/IEC 27001 themes (ISMS control families and evidence expectations)
SOC 2 (Security, Availability) control intent and audit readiness structure
NIST 800-53 family mapping for public-sector procurement review
NIST AI RMF concepts for AI governance and model risk management

Where evidence lives

Use the Trust Center exports to retrieve policy catalogs, control narratives, and operational evidence snapshots suitable for security questionnaires and pilot closeout packages.

Exports Request access

AI governance

Agentic systems create unique risk. UmamiMind enforces governance through policy-bound orchestration, tool allowlists, budget caps, and end-to-end traceability from prompt to tool call to outcome.

Model selection controls

Restrict providers/models by tenant, workload class, and data sensitivity. Maintain a controlled list of approved model targets.

Policy decisions are logged

Every allow/deny decision includes rationale, inputs, and constraints—exportable for review and audits.

Safety and human-in-the-loop

Route higher-risk actions through approvals, require evidence attachments, and enforce step completion rules.

Deterministic replay

Reproduce key runs for debugging, incident response, and audit evidence—with immutable run history.

Security questionnaires

We support vendor questionnaires and security reviews during pilots. Typical inputs include a control narrative, architecture overview, data flow summary, and incident response process description. Use the Trust Center exports to accelerate completion.

What we do not claim

Unless explicitly contracted and independently verified, UmamiMind does not claim SOC 2 Type II, ISO 27001 certification, FedRAMP authorization, or other external attestations. We provide alignment statements and evidence pathways to support your due diligence.