Oushvaa/Platform
Trust & Compliance

Built audit-grade.

The platform earns trust through architecture, not assertion. Published policies. SOC 2 in flight. ISO 27001 planned. An open, citable reference floor; premium intelligence gated.

SOC 2 Type I in audit · Q4 2026 SOC 2 Type II · Q2 2027 ISO 27001 planned · 2027 26 published policies Least-privilege by default

Open floor, gated premium

The Oushvaa platform exposes an open, citable reference floor — core catalogue records and safety data are searchable without an account. Premium intelligence, bulk and programmatic APIs, and the full corpus stay gated: those require an API key, a verified session, or institutional academic-program authentication. Premium intelligence stays premium; the deep-data boundary is the trust boundary.

This posture is deliberate. AI-era data products that publish their depth openly become training-set fodder for downstream LLM ingestion — their premium data ends up answered through ChatGPT or Claude before customers visit. So we keep the premium corpus gated: it lets us license selectively (to AI labs under controlled commercial terms in Year 2-3), grant verified academic access (under attribution-required terms from 2027), and price for value (subscriptions reflect the exclusivity).

Compliance roadmap

BiologicsIQ leads the family compliance cycle. SOC 2 Type I observation begins Q4 2026 with a Type II report planned for Q2 2027. ISO 27001 certification follows in 2027 to support EU enterprise expansion. Subsequent products (DrugIQ, MedevIQ, Oushvaa Procure) inherit the policy library and audit firm relationship, reducing per-product compliance lift to roughly 50% of the first cycle.

  • SOC 2 Type I — Security, Availability, Confidentiality. Audit firm engaged. Observation begins Q4 2026.
  • SOC 2 Type II — Same trust services, twelve-month observation. Report Q2 2027.
  • ISO 27001 — Planned 2027, primarily for EU enterprise customer requirements.
  • GDPR & DPDPA — Data processing agreements available. Cross-border transfer mechanisms in place.
  • HIPAA — Not currently in scope. Platform handles no PHI. Aggregate regulator data only.

Twenty-six published policies

The policy library covers access control, asset management, change management, code review, encryption, identity and authentication, incident response, key management, secure development lifecycle, third-party risk, vulnerability management, and more. Each policy is versioned, owner-assigned, and reviewed annually. Customer security teams can request the full pack under NDA.

  • POL-001 to POL-026 — full policy set
  • RB-001 to RB-007 — operational runbooks (incident response, BCP/DR, key rotation, etc.)
  • LEG-001 MSA · LEG-002 DPA · LEG-003 Mutual NDA — legal templates
  • LEG-005 Sub-processor list — kept current, version-controlled
  • LEG-004 Pre-filled security questionnaire (SIG Lite / CAIQ format)

Sub-processors and data handling

The platform runs on a small, deliberately chosen set of sub-processors: Supabase (Postgres + auth), Vercel (workflow hosting), Cloudflare (CDN, R2 storage, DNS), Resend (transactional email), Anthropic (AI inference), Sentry (error monitoring). Each is documented in the sub-processor list with the purpose, data scope, and DPA status. Changes to the sub-processor list are versioned and notified to customers under signed contracts.

Verified Academic Program (opens 2027)

Researchers at recognized institutions will get free Pro-tier access starting 2027, under institutional email verification (.edu, .ac.in, .ac.uk, etc.). Attribution required in publications. The first wave will be invited from AIIMS, ICMR, KMC Manipal, AIMS Kochi, JIPMER for the Indian network, plus reciprocal partnerships in US, UK, EU. Access requires explicit application — not anonymous web scraping.

Reach the security team

Security questions, vulnerability reports, contract NDAs, sub-processor inquiries: [email protected]. We respond within 24 hours on business days. Critical vulnerability reports are acknowledged within 4 hours.