Trust Center¶
Pauhu is built on a foundation of trust, security, and compliance. This Trust Center provides comprehensive documentation of our security practices, certifications, and policies.
Security Overview¶
-
Zero-Knowledge Architecture
Your encryption keys never leave your device. We mathematically cannot access your data.
-
Certifications
SOC 2 Type II, ISO 27001, GDPR, VAHTI ST III/IV, FedRAMP (in progress)
-
Privacy by Design
Data minimization, purpose limitation, and user control built into every feature.
-
Security Controls
421 NIST 800-53 controls implemented for FedRAMP High authorization.
Certifications & Compliance¶
Current Certifications¶
| Certification | Status | Scope | Report Available |
|---|---|---|---|
| SOC 2 Type II | ✅ Certified | Security, Availability, Confidentiality | Under NDA |
| ISO 27001:2022 | ✅ Certified | Information Security Management | Public |
| GDPR | ✅ Compliant | EU Data Protection | DPA Available |
| VAHTI ST III/IV | ✅ Certified | Finnish Government Security | Under NDA |
| EU AI Act | ✅ Compliant | Articles 52, 57-59 | Public Report |
In Progress¶
| Certification | Status | Target Date |
|---|---|---|
| FedRAMP High | 🔄 3PAO Assessment | Q2 2025 |
| StateRAMP | 🔄 Application | Q3 2025 |
| ISO 27701 | 🔄 Audit Scheduled | Q2 2025 |
| HIPAA | 🔄 BAA Available | Available Now |
Security Architecture¶
Client-Side Encryption¶
sequenceDiagram
participant User
participant Browser/SDK
participant PauhuAPI
participant Storage
Note over User,Storage: Your data is encrypted BEFORE it leaves your device
User->>Browser/SDK: Enter plaintext
Browser/SDK->>Browser/SDK: Generate keys locally
Note right of Browser/SDK: Ed25519 + AES-256-GCM
Browser/SDK->>Browser/SDK: Encrypt data
Browser/SDK->>PauhuAPI: Send encrypted payload
Note over PauhuAPI: Cannot decrypt - no keys
PauhuAPI->>Storage: Store encrypted
PauhuAPI->>Browser/SDK: Return encrypted result
Browser/SDK->>Browser/SDK: Decrypt locally
Browser/SDK->>User: Display plaintext
Note over User,Storage: Keys stored in IndexedDB - never transmittedInfrastructure Security¶
| Layer | Protection |
|---|---|
| Network | TLS 1.3, certificate pinning, DDoS protection |
| Compute | Isolated containers, no persistent storage |
| Storage | Encrypted at rest (AES-256), customer-managed keys |
| Access | SSO/SAML, MFA required, RBAC |
| Monitoring | Real-time SIEM, anomaly detection, 24/7 SOC |
Data Residency¶
| Region | Data Center Locations | Certifications |
|---|---|---|
| EU | Frankfurt, Amsterdam, Paris | GDPR, EU-US DPF |
| US | Virginia, Oregon | FedRAMP, SOC 2 |
| Nordic | Helsinki, Stockholm | VAHTI, GDPR |
| Air-Gapped | Customer premises | Customer's authority |
Privacy¶
Data Processing¶
| Data Type | Purpose | Retention | Customer Control |
|---|---|---|---|
| Translation Input | Service delivery | Encrypted, customer-managed | Full deletion on request |
| Translation Output | Service delivery | Encrypted, customer-managed | Full deletion on request |
| Usage Metrics | Billing, analytics | Aggregated, anonymized | Opt-out available |
| Audit Logs | Compliance | Configurable (30-365 days) | Export, deletion |
Privacy Principles¶
- Data Minimization: We only process data necessary for the requested service
- Purpose Limitation: Data is only used for the stated purpose
- Storage Limitation: Data is deleted when no longer needed
- User Control: You can export or delete your data at any time
- Transparency: Clear documentation of all data processing
Privacy Documents¶
- Privacy Policy
- Data Processing Agreement (DPA)
- Sub-processor List
- Cookie Policy
- GDPR Data Subject Rights
Vulnerability Management¶
Responsible Disclosure¶
We welcome security researchers to report vulnerabilities:
- Email: security@pauhu.ai
- PGP Key: Download
- Response Time: <24 hours acknowledgment, <90 days resolution
Security Advisories¶
| Date | Advisory | Severity | Status |
|---|---|---|---|
| 2025-12-01 | PA-2025-001 | Low | Resolved |
| 2025-11-15 | PA-2025-002 | Medium | Resolved |
No critical vulnerabilities have been identified in production systems.
Penetration Testing¶
- Frequency: Annual + after significant changes
- Provider: [3PAO Name] (FedRAMP accredited)
- Scope: All production systems, APIs, infrastructure
- Results: Available under NDA
Operational Security¶
Incident Response¶
| Severity | Response Time | Notification |
|---|---|---|
| Critical | <1 hour | Immediate phone + email |
| High | <4 hours | Email within 4 hours |
| Medium | <24 hours | Email within 24 hours |
| Low | <72 hours | Monthly report |
Business Continuity¶
- RTO (Recovery Time Objective): <4 hours
- RPO (Recovery Point Objective): <1 hour
- DR Testing: Quarterly
- Backup Locations: Geographically distributed
Status Page¶
Real-time system status: status.pauhu.ai
- Uptime SLA: 99.99% (Tier 2+)
- Historical uptime: 99.97% (last 12 months)
Policies¶
Security Policies¶
- Information Security Policy
- Access Control Policy
- Encryption Policy
- Incident Response Policy
- Business Continuity Policy
Compliance Policies¶
Terms¶
Request Security Documentation¶
Enterprise and government customers can request additional documentation:
- System Security Plan (SSP)
- Security Assessment Report (SAR)
- Plan of Action & Milestones (POA&M)
- Penetration Test Reports
- SOC 2 Type II Report
- ISO 27001 Certificate
Contact Security Team¶
- General Security Inquiries: security@pauhu.ai
- Vulnerability Reports: security@pauhu.ai (PGP available)
- Compliance Questions: compliance@pauhu.ai
- Enterprise Sales: enterprise@pauhu.ai