Loading...
Procurement & Security Pack
Everything your security, legal, and procurement teams need to evaluate and approve ReadingMinds, consolidated in one place.
None
Voice Recordings Stored
Transcripts + signals only
AES-256 + TLS 1.2+
Data Encryption
At rest and in transit
AWS US-East
Data Location
Virginia, USA
Never
AI Model Training
Your data stays yours
Start Here
Procurement Checklist
Follow these steps to complete your security review. Each links to the relevant documentation. Or download everything as a single PDF above.
1
Review Security & Compliance
AvailableSOC 2 Type II + GDPR in progress via Vanta. HIPAA safeguards in place. ISO 27001 on roadmap. Encryption, access controls, and data handling practices.
2
Review Data Processing Agreement
AvailableData controller/processor roles, scope of processing, storage, retention, international transfers, and security measures.
3
Review Security Architecture
AvailableZero-trust architecture, data flow from respondent to insights, encryption layers, tenant isolation, and 24/7 monitoring.
4
Review Data Retention Policy
AvailableRetention schedule by data type, client overrides (1–36 months), automatic cleanup, and secure erasure. No voice audio stored.
5
Review Subprocessors List
AvailableFive vetted subprocessors with purpose, data scope, and hosting location. 30-day advance notice before any changes.
6
Review Incident Response Plan
AvailableSeven-step IR process, severity levels with response time SLAs (15 min to 24 hrs), and 72-hour client notification per GDPR.
7
Complete Security Questionnaire
AvailableUse our answer bank below to pre-populate your internal security review. 15 common questions pre-answered.
8
Execute DPA
On requestContact us to execute a Data Processing Agreement. Custom DPA terms available for enterprise clients.
Security Questionnaire Answer Bank
Pre-written answers to the 15 most common security questionnaire questions. Copy these directly into your internal review forms.
Do you store voice recordings?+
No. Audio streams are processed in real-time for transcription and emotion detection. Voice recordings are never stored. Only transcripts and derived emotion/sentiment signals are retained.
Where is data hosted?+
All data is hosted on Amazon Web Services (AWS) in US-East (Virginia). Infrastructure is SOC 2 certified with continuous monitoring.
What encryption do you use?+
AES-256 encryption at rest. TLS 1.2+ for all data in transit. Encryption keys managed via AWS KMS with automatic rotation.
Do you train AI models on customer data?+
No. Customer interview data is never used to train AI models. Data is used solely for the client's research purposes.
What compliance certifications do you hold?+
Our founding team has deep information security backgrounds, and we are actively pursuing formal certification through Vanta. SOC 2 Type II and GDPR certification are in progress; HIPAA safeguards are in place; ISO 27001 is on our roadmap. Contact us for the latest status on any specific certification.
How do you handle data deletion?+
Clients can request permanent deletion at any time. Production data purged within 30 days, backups within 90 days per GDPR/CCPA requirements.
Do you support SSO?+
Yes. SSO via SAML 2.0 and OIDC, plus multi-factor authentication and JWT tokens with short expiry windows.
What are your data retention defaults?+
Interview transcripts: 12 months (configurable 1-36 months). Emotion/sentiment signals: follows transcript retention. Voice audio: not stored. System logs: 90 days.
Do you have a DPA?+
Yes. The client acts as Data Controller, ReadingMinds as Data Processor. DPA with Standard Contractual Clauses available. Reach out via our contact page to request one.
How do you handle PII?+
Data is anonymized by default. No personal identifiers are stored unless explicitly configured. If sensitive data is shared during an interview, the AI automatically moves to the next question and strips it out.
What is your incident response process?+
Seven-step process: Detection, Triage (within 15 min), Containment, Investigation, Notification (within 72 hours per GDPR), Remediation, Post-Incident Review.
Who are your subprocessors?+
AWS (hosting), Salesforce (CRM), ZoomInfo (B2B intelligence), Clay (data enrichment), Stripe (payments). Full list at www.readingminds.ai/trust/subprocessors. 30-day notice before changes.
What access controls are in place?+
Role-based access control (RBAC), least-privilege defaults, MFA for all internal systems, VPN-only production access, comprehensive audit logging retained 12+ months.
Do you conduct penetration testing?+
Yes. Regular third-party penetration testing and vulnerability assessments. Findings remediated on a risk-prioritized basis.
What is your data location?+
All data stored in AWS US-East (Virginia). EU transfers governed by Standard Contractual Clauses in our DPA.
Compliance & Certifications
The following certifications represent our compliance roadmap. Several are currently in progress. Contact us for the latest status.
SOC 2
Type II: In Progress
GDPR
EU: In Progress
CCPA
California: In Progress
HIPAA
Safeguards in Place
ISO 27001
Planned
Quick Links
Jump directly to any documentation page.
Ready to Start the Security Review?
Download the full pack, share it with your security and legal teams, and reach out when you're ready to execute a DPA.