Trust, security & compliance

Built for regulated environments.

The answers to the security questionnaire your CISO is going to send. Certifications, AI governance, sub-processor list, audit posture — surfaced here instead of buried in a 200-row spreadsheet.

01CERTIFICATIONS

What we hold, and what we build toward.

ISO 9001 is certified today. The frameworks below describe the controls we engineer and operate to — we are not certified against them and do not claim to be.

STATUS · Certified

ISO 9001

Quality management system — currently certified.

STATUS · Aligned · not certified

ISO 27001

Our information-security program is built in accordance with ISO 27001 controls; we are not certified and do not claim to be.

STATUS · Aligned · not certified

SOC 2 Type II

Controls designed to the SOC 2 trust-services criteria; no attestation report yet.

STATUS · Aligned · not certified

ISO 42001

AI management system engineered to ISO 42001 controls; we are not certified and do not claim to be.

02SECURITY PRACTICES

The day-to-day discipline.

Encryption in transit (TLS 1.3) and at rest on every system
MFA enforced on every internal account and customer-facing console
Vendor due-diligence policy with annual reassessment for critical sub-processors
Documented incident response runbook with named on-call owners
Background-checked practitioners on every regulated-industry engagement

03AI GOVERNANCE

How we run AI work, on every engagement.

EU AI Act readiness — risk classification, technical documentation, post-market monitoring
NIST AI RMF alignment on every AI engagement (govern, map, measure, manage)
Internal AI use policy — what we use, what we log, what we never share
Model risk register maintained per engagement; signed by client risk owner

04SERVICE LEVELS

How we commit to keeping AI in production.

For Managed AI engagements, our service levels are contractual — not best-effort. The on-call, the response and resolution targets, and the new-workflow cadence are written into the retainer and reported every month.

Three SLA tiers — bronze (business hours), silver (24×5), gold (24×7) — each with defined response, resolution, and new-workflow commitments, published per engagement.
On-call ownership within 30 days of onboarding a client-built stack — one rotation, one runbook, one phone number across the AI surface.
Monthly SLA report against committed targets, plus a quarterly business review against the shared roadmap.
A 90-day handoff window built into every contract — we document, train, and exit cleanly if you ever choose to leave.

05SUB-PROCESSORS

Who we use to run this site.

For client engagements, the sub-processor list is engagement-specific and shared in the DPA. Below is the canonical list for maverin.com itself.

Provider	Purpose	Region
Vercel	Hosting + edge runtime	Multi-region (iad1, cdg1)
Vercel Web Analytics + Speed Insights	Cookieless aggregate page analytics + real-user Web Vitals	Multi-region
Resend	Transactional email (contact form)	EU/US
Cloudflare	Turnstile bot protection (cookieless)	Global

Need a security review or DPA? Reach out — security@maverin.com for security disclosures, info@maverin.com for everything else.

Read the DPA

What we hold, and what we build toward.

ISO 9001 is certified today. The frameworks below describe the controls we engineer and operate to — we are not certified against them and do not claim to be.

STATUS · Certified

ISO 9001

Quality management system — currently certified.

STATUS · Aligned · not certified

ISO 27001

Our information-security program is built in accordance with ISO 27001 controls; we are not certified and do not claim to be.

STATUS · Aligned · not certified

SOC 2 Type II

Controls designed to the SOC 2 trust-services criteria; no attestation report yet.

STATUS · Aligned · not certified

ISO 42001

AI management system engineered to ISO 42001 controls; we are not certified and do not claim to be.

The day-to-day discipline.

Encryption in transit (TLS 1.3) and at rest on every system

MFA enforced on every internal account and customer-facing console

Vendor due-diligence policy with annual reassessment for critical sub-processors

Documented incident response runbook with named on-call owners

Background-checked practitioners on every regulated-industry engagement

How we run AI work, on every engagement.

EU AI Act readiness — risk classification, technical documentation, post-market monitoring

NIST AI RMF alignment on every AI engagement (govern, map, measure, manage)

Internal AI use policy — what we use, what we log, what we never share

Model risk register maintained per engagement; signed by client risk owner

How we commit to keeping AI in production.

Three SLA tiers — bronze (business hours), silver (24×5), gold (24×7) — each with defined response, resolution, and new-workflow commitments, published per engagement.

On-call ownership within 30 days of onboarding a client-built stack — one rotation, one runbook, one phone number across the AI surface.

Monthly SLA report against committed targets, plus a quarterly business review against the shared roadmap.

A 90-day handoff window built into every contract — we document, train, and exit cleanly if you ever choose to leave.

Who we use to run this site.

For client engagements, the sub-processor list is engagement-specific and shared in the DPA. Below is the canonical list for maverin.com itself.

Provider	Purpose	Region
Vercel	Hosting + edge runtime	Multi-region (iad1, cdg1)
Vercel Web Analytics + Speed Insights	Cookieless aggregate page analytics + real-user Web Vitals	Multi-region
Resend	Transactional email (contact form)	EU/US
Cloudflare	Turnstile bot protection (cookieless)	Global