Security & Compliance

AI you can put in front of customers — and in front of your compliance team.

GrowTK deployments are built for enterprise procurement and regulated industries. Here's the posture behind them.

Compliance posture

Frameworks we align to today, plus the ones in active attestation work. Ask for specific artifacts under NDA.

SOC 2 Type II

Posture aligned — attestation in progress

We deploy on SOC 2 Type II certified infrastructure. Full GrowTK attestation in progress; ask for target date.

GDPR

Compliant

DPA template, DPIA support, EU data residency, lawful-basis documentation, and data subject request workflows.

HIPAA

BAA-supported deployments

For healthcare programs, signed BAA and HIPAA-safe architecture with logged PHI access and minimum necessary disclosure.

CCPA / CPRA

Compliant

California-specific consumer rights workflows, opt-out signals honoured, deletion and portability SLAs in place.

Technical controls

Everything that keeps your data where it's supposed to be, and keeps the wrong people out of it.

Encryption

TLS 1.2+ in transit, AES-256 at rest, and key management via your cloud KMS for enterprise deployments.

Authentication & RBAC

SSO via SAML/OIDC. Role-based access to admin, conversation logs, and configuration. End-user auth before PHI/PII disclosure.

Data residency

US, EU, UK, APAC regions. Dedicated infrastructure for enterprise. Model inference routed to regional endpoints.

Infrastructure

Hardened cloud infrastructure (AWS, GCP, Azure) with isolated tenants, network segmentation, and DDoS protection.

Audit logging

Every conversation is logged with retrieval sources, tool calls, and policy evaluations. Exportable on demand.

Vulnerability management

Continuous scanning, patch SLAs, coordinated vulnerability disclosure via security.txt, and regular third-party pen testing.

AI-specific governance

Security for AI isn't just infrastructure. Here's how we keep the agent itself inside the lines.

Constitutional policy layer

Every agent is bounded by a written constitution describing what it can and cannot do. Policies are enforced at the reasoning layer, not as post-hoc filters, and are versioned in source control with change review.

Grounded responses

Retrieval-augmented generation grounds answers in your sanctioned knowledge base. Unsourced freeform outputs are not part of our default deployment pattern for customer-facing use.

Escalation routing

Low-confidence, policy-sensitive, and VIP conversations route to humans with full context. Escalation paths are explicit and measured — we don’t hide handoffs inside the agent.

Red-team evaluation

Before production traffic, every agent is red-teamed against a scripted set of adversarial prompts, jailbreak attempts, and policy edge cases. Results are documented and reviewed with the customer.

Reporting a vulnerability

Responsible disclosure is welcome. Email security@growtk.co with scope, reproduction steps, impact, and any proof-of-concept code. Our policy and canonical details are in /.well-known/security.txt.

We aim to acknowledge reports within 48 hours and provide progress updates every 7 days until resolution.

Security & Compliance — FAQs

Procurement, InfoSec, and privacy teams ask these questions most often.

SOC 2 Type II posture (we run on SOC 2 Type II certified infrastructure and can pass through attestation), GDPR, HIPAA for healthcare deployments with a signed BAA, and state-specific consumer-lending and insurance frameworks where applicable. For enterprise procurement we provide SIG/CAIQ responses, DPAs, and DPIAs as standard deliverables.

Need to see our security artifacts?

We share SOC 2 reports, DPA, BAA, SIG/CAIQ responses, and recent pen test results under NDA. Start by booking a call.

Request security documentation

Related pages

AI Agents

The platform and governance layer that every GrowTK agent runs on.

Pricing

How we scope commercial terms alongside security and compliance reviews.

About GrowTK

How we build and who we build with.