Procurement & Security Pack

Everything your security, legal, and procurement teams need to evaluate and approve ReadingMinds, consolidated in one place.

None

Voice Recordings Stored

Transcripts + signals only

AES-256 + TLS 1.2+

Data Encryption

At rest and in transit

AWS US-East

Data Location

Virginia, USA

Never

AI Model Training

Your data stays yours

Start Here

Procurement Checklist

Follow these steps to complete your security review. Each links to the relevant documentation. Or download everything as a single PDF above.

1

Review Security & Compliance

Available

SOC 2 Type II + GDPR in progress via Vanta. HIPAA safeguards in place. ISO 27001 on roadmap. Encryption, access controls, and data handling practices.

2

Review Data Processing Agreement

Available

Data controller/processor roles, scope of processing, storage, retention, international transfers, and security measures.

3

Review Security Architecture

Available

Zero-trust architecture, data flow from respondent to insights, encryption layers, tenant isolation, and 24/7 monitoring.

4

Review Data Retention Policy

Available

Retention schedule by data type, client overrides (1–36 months), automatic cleanup, and secure erasure. No voice audio stored.

5

Review Subprocessors List

Available

Five vetted subprocessors with purpose, data scope, and hosting location. 30-day advance notice before any changes.

6

Review Incident Response Plan

Available

Seven-step IR process, severity levels with response time SLAs (15 min to 24 hrs), and 72-hour client notification per GDPR.

7

Complete Security Questionnaire

Available

Use our answer bank below to pre-populate your internal security review. 15 common questions pre-answered.

8

Execute DPA

On request

Contact us to execute a Data Processing Agreement. Custom DPA terms available for enterprise clients.

Security Questionnaire Answer Bank

Pre-written answers to the 15 most common security questionnaire questions. Copy these directly into your internal review forms.

Do you store voice recordings?+

No. Audio streams are processed in real-time for transcription and emotion detection. Voice recordings are never stored. Only transcripts and derived emotion/sentiment signals are retained.

Where is data hosted?+

All data is hosted on Amazon Web Services (AWS) in US-East (Virginia). Infrastructure is SOC 2 certified with continuous monitoring.

What encryption do you use?+

AES-256 encryption at rest. TLS 1.2+ for all data in transit. Encryption keys managed via AWS KMS with automatic rotation.

Do you train AI models on customer data?+

No. Customer interview data is never used to train AI models. Data is used solely for the client's research purposes.

What compliance certifications do you hold?+

Our founding team has deep information security backgrounds, and we are actively pursuing formal certification through Vanta. SOC 2 Type II and GDPR certification are in progress; HIPAA safeguards are in place; ISO 27001 is on our roadmap. Contact us for the latest status on any specific certification.

How do you handle data deletion?+

Clients can request permanent deletion at any time. Production data purged within 30 days, backups within 90 days per GDPR/CCPA requirements.

Do you support SSO?+

Yes. SSO via SAML 2.0 and OIDC, plus multi-factor authentication and JWT tokens with short expiry windows.

What are your data retention defaults?+

Interview transcripts: 12 months (configurable 1-36 months). Emotion/sentiment signals: follows transcript retention. Voice audio: not stored. System logs: 90 days.

Do you have a DPA?+

Yes. The client acts as Data Controller, ReadingMinds as Data Processor. DPA with Standard Contractual Clauses available. Reach out via our contact page to request one.

How do you handle PII?+

Data is anonymized by default. No personal identifiers are stored unless explicitly configured. If sensitive data is shared during an interview, the AI automatically moves to the next question and strips it out.

What is your incident response process?+

Seven-step process: Detection, Triage (within 15 min), Containment, Investigation, Notification (within 72 hours per GDPR), Remediation, Post-Incident Review.

Who are your subprocessors?+

AWS (hosting), Salesforce (CRM), ZoomInfo (B2B intelligence), Clay (data enrichment), Stripe (payments). Full list at readingminds.ai/trust/subprocessors. 30-day notice before changes.

What access controls are in place?+

Role-based access control (RBAC), least-privilege defaults, MFA for all internal systems, VPN-only production access, comprehensive audit logging retained 12+ months.

Do you conduct penetration testing?+

Yes. Regular third-party penetration testing and vulnerability assessments. Findings remediated on a risk-prioritized basis.

What is your data location?+

All data stored in AWS US-East (Virginia). EU transfers governed by Standard Contractual Clauses in our DPA.

Compliance & Certifications

The following certifications represent our compliance roadmap. Several are currently in progress. Contact us for the latest status.

SOC 2 compliance badge

SOC 2

Type II: In Progress

GDPR compliance badge

GDPR

EU: In Progress

CCPA compliance badge

CCPA

California: In Progress

HIPAA compliance badge

HIPAA

Safeguards in Place

ISO 27001 compliance badge

ISO 27001

Planned

Quick Links

Jump directly to any documentation page.

Security & ComplianceTrust CenterDPASubprocessorsData RetentionArchitectureIncident ResponseContact Security

Ready to Start the Security Review?

Download the full pack, share it with your security and legal teams, and reach out when you're ready to execute a DPA.

Or contact our security team directly →
Start 3‑Minute Live Test Drive