Trust Center

Everything a regulator would ask us, answered in public.

Raidu is the thing your auditors will use to verify your AI. So we hold ourselves to the same bar. This page is the source of truth. It updates when we do.

security@raidu.com Download report
UPTIME
99.98%
90-day rolling
LATENCY
6.1 ms
checkpoint p50
INCIDENTS
0
last 90 days
LOG LOSS
0 bytes
since founding
SIGNED
2.4 B
records to date
REGION
US · EU · SG
data residency
Framework coverage

Eight frameworks, mapped line-by-line to the runtime.

Regulation (EU) 2024/1689
EU AI Act
45 CFR §§ 160, 162, 164
HIPAA
NIST.AI.100-1
NIST AI RMF 1.0
AI management system
ISO/IEC 42001
TSP 100 · 2017 (rev.)
SOC 2 Type II
Regulation (EU) 2016/679
GDPR
Colorado AI Act
Colorado SB 24-205
Circular Letter No. 7 (2024)
NYDFS CL-7
Regulation (EU) 2024/1689

EU AI Act

● In force · enforcement 2026-08-02
Export mapping ↓
ArticleRequirementStatusRaidu control
Art. 9 Risk management system ● covered Raidu records every risk classification per execution
Art. 10 Data & data governance ● covered PII masking pre-LLM with deterministic token map
Art. 12 Record-keeping ● covered RSA-4096 signatures, hash-chain WORM, 10y default retention
Art. 13 Transparency ● covered Plain-English explanation attached to every decision
Art. 14 Human oversight ● covered Approval gates with signed human ack
Art. 15 Accuracy, robustness, cybersec ● covered Detection model: 99.2% precision, 98.6% recall
Art. 17 QMS ● covered ISO/IEC 42001 AIMS, certification audit in progress
Art. 26 Deployer obligations ● covered Customer-controlled policy + audit export
45 CFR §§ 160, 162, 164

HIPAA

● BAA available on Enterprise
Export mapping ↓
ArticleRequirementStatusRaidu control
§164.308 Administrative safeguards ● covered RBAC, least-privilege, signed access reviews
§164.310 Physical safeguards ● covered Inherited data-center controls; SOC 2 Type II audit in progress
§164.312 Technical safeguards ● covered TLS 1.3 in flight · AES-256 + envelope at rest
§164.316 Documentation (6y retention) ● covered 10y WORM default, 6y configurable minimum
§164.502(b) Minimum necessary ● covered Connector-scoped PHI masking (Checkpoint 03)
§164.514 De-identification ● covered Safe Harbor + Expert Determination ready
NIST.AI.100-1

NIST AI RMF 1.0

● Mapped · January 2023
Export mapping ↓
ArticleRequirementStatusRaidu control
Govern Organizational policies + roles ● covered Per-team, per-agent, per-model policies with version
Map Context of use characterized ● covered Use-case registration required before deployment
Measure Risks quantified ● covered Per-checkpoint signals, drift detection, replay
Manage Risks prioritized and managed ● covered Incident playbooks, legal hold, approval gates
AI management system

ISO/IEC 42001

● Audit in progress · 2026
Export mapping ↓
ArticleRequirementStatusRaidu control
Cl. 6 Planning ● covered Annual AI risk register, signed by CISO
Cl. 7 Support ● covered Training, competence, documented procedures
Cl. 8 Operation ● covered Runtime enforcement of AIMS policies
Cl. 9 Performance evaluation ● covered Quarterly internal + annual external audit
Cl. 10 Improvement ● covered CAPA tracked, closed with signed evidence
TSP 100 · 2017 (rev.)

SOC 2 Type II

● Audit in progress · target July 2026
Export mapping ↓
ArticleRequirementStatusRaidu control
CC1 Control environment ● covered Code of conduct, background checks, yearly training
CC6 Logical & physical access ● covered SSO-only · MFA enforced · just-in-time admin
CC7 System operations ● covered 24/7 on-call, runbooks, quarterly DR exercise
CC8 Change management ● covered Two-reviewer merges · signed build provenance
A1 Availability ● covered Multi-AZ · 99.95% SLA · failover tested monthly
C1 Confidentiality ● covered Least-privilege · customer data tenant-isolated
Regulation (EU) 2016/679

GDPR

● DPA + SCCs available
Export mapping ↓
ArticleRequirementStatusRaidu control
Art. 5 Principles of processing ● covered Purpose-bound per policy, logged per execution
Art. 17 Right to erasure ● covered Tenant-scoped erasure API, signed receipt
Art. 25 Data protection by design ● covered PII masking default · opt-out requires sign-off
Art. 30 Records of processing ● covered Execution records serve as RoPA
Art. 32 Security of processing ● covered Encryption, pseudonymization, resiliency tests
Art. 35 DPIA ● covered DPIA template bundled with onboarding
Colorado AI Act

Colorado SB 24-205

● In force · 2026-06-01
Export mapping ↓
ArticleRequirementStatusRaidu control
§6-1-1703 Duty of reasonable care ● covered Policy enforcement + signed explanations
§6-1-1704 Risk management policy ● covered NIST AI RMF mapping inherited
§6-1-1705 Impact assessments ● covered Use-case IA template · annual refresh
§6-1-1706 Consumer notice ● covered End-user transparency card generated per execution
Circular Letter No. 7 (2024)

NYDFS CL-7

● Guidance · banks & insurers
Export mapping ↓
ArticleRequirementStatusRaidu control
§III.A Governance & risk management ● covered Board-level AI risk review quarterly
§III.B Third-party risk ● covered Subprocessor list + SIG-Lite on request
§III.C Cybersecurity ● covered Aligned to 23 NYCRR 500 (amended 2023)
§III.D Incident notification ● covered 72-hour notice · signed timeline
What a record looks like

A record an auditor can open, verify, and trust.

Every execution produces a signed document. Raidu publishes its verification public key. Anyone with the record and the key can confirm, offline, that it has not been altered. That is the bar. Not logs-in-a-bucket. Cryptographic proof.

Download sample record ↓ Get verifier CLI
{
  "schema":     "raidu.record/v2",
  "record_id":  "rec_01JBVX7P9A8Z8PTQJG4K9NDJ4W",
  "tenant":     "acme-corp",
  "agent":      "support-triage-v3",
  "model":      "anthropic/claude-sonnet-4.5",
  "started_at": "2026-04-21T14:02:11.041Z",
  "checkpoints": [
    { "ck":"01", "name":"user_input",    "latency_ms":2.1,
      "entities": ["EMAIL","US_SSN","CREDIT_CARD"] },
    { "ck":"02", "name":"before_llm",    "latency_ms":3.4,
      "masked": 3, "policy":"enterprise.v17" },
    { "ck":"03", "name":"before_tool",   "latency_ms":2.6,
      "tool":"gmail.send", "outbound_pii":"scoped" },
    { "ck":"04", "name":"after_tool",    "latency_ms":1.8,
      "new_entities": 0 },
    { "ck":"05", "name":"agent_response","latency_ms":2.2,
      "final_scan":"clean" }
  ],
  "policies":   ["hipaa.baa", "eu-ai-act.art10+13", "no-card-to-llm"],
  "decision":   "allow",
  "explanation":"PII masked before model. Tool call scoped.
                 Response clean. No policy violations.",
  "prev_hash":  "b7f3…c421",
  "hash":       "e9a2…d3fa",
  "rfc3161_ts": "2026-04-21T14:02:11.051Z",
  "signature":  "MIIFxjCCA6…  (RSA-4096, 684 bytes)  …Qw=="
}
Security

The controls behind the runtime.

Cryptography
  • RSA-4096 signatures per record
  • AES-256-GCM at rest, envelope keys
  • TLS 1.3 in flight, mTLS between services
  • FIPS 140-3 Level 3 HSM for key material
  • RFC 3161 trusted timestamping
  • Hash-chained WORM, tamper-evident
Access & Identity
  • SSO-only (SAML / OIDC)
  • MFA enforced, WebAuthn supported
  • Just-in-time admin with approver
  • Quarterly signed access reviews
  • Tenant-scoped IAM, no cross-tenant reads
  • Public audit of Raidu employee access
Operations
  • Multi-AZ, multi-region active
  • 99.95% availability SLA on Enterprise
  • 30-day backup, 10-year WORM
  • Monthly DR exercise, annual 3rd-party audit
  • 24/7 security on-call
  • Patch SLA: Critical 24h · High 7d
Data handling
  • No training on customer data. Ever.
  • US, EU, SG data residency on request
  • Tenant isolation enforced at DB + KMS
  • Right-to-erasure API, signed receipt
  • Customer-held encryption keys (CMEK)
  • Subprocessor list, 30-day change notice
Subprocessors

Seven vendors, none on AI payloads.

Raidu's design principle is that no third party, including our own vendors, ever sees unmasked AI payloads. The infrastructure below runs the service; it does not see the substance of what crosses the runtime.

VendorPurposeRegionOnboarded
AWS Cloud infrastructure US-East-1, EU-West-1, AP-Southeast-1 2025-01-10
Google Cloud Secondary compute us-east1, europe-west1 2025-03-22
Datadog Metrics + APM (no payloads) US-1 2025-02-04
Sentry (self-hosted) Error reporting Raidu VPC 2025-02-04
PagerDuty On-call routing US 2025-02-04
Stripe Billing · no AI payloads US 2025-02-18
HashiCorp Vault Secret management Raidu VPC 2025-02-04
Documents

Everything you need for review.

Master Service Agreement PDF · 14 pg · v2026.03 Data Processing Addendum (GDPR) PDF · 18 pg · v2026.03 Business Associate Agreement PDF · 12 pg · HIPAA Standard Contractual Clauses PDF · Module 2 · 2021/914 Security Whitepaper PDF · 28 pg · v2026.02 SOC 2 Type II Report In progress · target July 2026 ISO/IEC 42001 Certificate Audit in progress · 2026 Penetration Test Summary Engagement scheduled · 2026 Responsible Disclosure Policy HTML · public Subprocessor List HTML · auto-updated
Contacts

Ask us directly.

Security
security@raidu.com
PGP · 0x7B9A C1D4 ...
Privacy
privacy@raidu.com
DPO · P. Ekstrand
Compliance
compliance@raidu.com
Frameworks, SIG, CAIQ
Legal
legal@raidu.com
MSA, DPA, BAA, SCCs