teranode
InvestorsTalk to us
teranodeSecurity & posture

Security posture for Teranode.

What a vendor evaluator (CCO, IT, security review) needs to know before approving Teranode for use inside a regulated firm. This page is the answer to questions that typically arrive in a SIG or CAIQ. The deeper trust posture is at /trust; the policy + sub-processors are below.

01

Status.

  • SOC 2 Type II — in progress. Engagement scoped; auditor selection in progress. Target completion window communicated under NDA.
  • No certifications overstated. If a control is implemented but not yet attested, this page says so. If the audit is not yet engaged, this page says so. We do not represent that we hold a certification we have not been issued.
  • Penetration test. Pre-seed: not yet engaged. On the post-funding roadmap.
02

Sub-processors.

Third parties that process customer data in the course of delivering the Council. Each is bound by its own DPA. The full sub-processor list with purpose-of-processing is on /trust.

  • OpenRouter — model routing and inference orchestration
  • Anthropic, OpenAI, Google, xAI, DeepSeek — frontier model providers (via OpenRouter)
  • Vercel — hosting + serverless compute
  • Neon — managed Postgres (eval store, opt-in scenarios)
  • Groq — voice transcription (whisper-large-v3) on the demo surface
03

Controls posture.

Controls are aligned to SIG and CAIQ frameworks. Highlights:

  • Data minimization. By default no scenario text is persisted server-side. Opt-in capture is required for eval scenarios; explicit consent is recorded on the record.
  • No customer data in model training. Every provider relationship is contracted with zero-retention terms (Anthropic, OpenAI, xAI, Google, DeepSeek via OpenRouter; verified via OpenRouter contracted policy).
  • Rate limiting at the function. 10 requests per minute per IP on the Council demo surface; 30 per minute on the transcription surface. Cost-DoS defense.
  • IP audit projection. API responses are projected to a public schema before return — no internal metadata leaks to the client.
  • Authentication. Admin surfaces are gated by HMAC-style signed cookies. Examples surface gated by shared password (single-shared until per-investor tokens ship post-funding).
04

Incident response.

No security incidents to date. The founder is the on-call contact pre-funding; post-funding the incident response rotation moves to a fractional security engineer or full security hire. Incidents are disclosed to affected parties within 72 hours of detection per GDPR-style timing expectations.

05

Vulnerability disclosure.

Email security@teranode.aiwith details, reproduction steps, and the impact you observed. We respond within 5 business days. We do not pursue legal action against good-faith security researchers acting under standard responsible-disclosure timelines.

06

Vendor due-diligence packet.

For RIA, broker-dealer, or family-office vendor reviews, request the standard DD packet (SIG response, sub-processor list, DPA template, sample MSA, security architecture summary): founders@teranode.ai.

For broader trust context (governance, regulatory posture, founder bio), see /trust. For the methodology behind Council quality claims, see /methodology.