Everything your security team needs.
Last updated: April 26, 2026
Poocho AI is designed for organizations that cannot afford data exposure or service disruption — regulators, banks, telecoms, and healthcare providers. This page consolidates our security, privacy, and reliability commitments in one place. For items under NDA (SOC 2 report, pen-test results, architecture deep-dives), reach out to hello@poochoai.com.
Security & compliance posture
Encryption
TLS 1.3 in transit, AES-256 at rest. Customer-managed keys (HSM/KMS) for enterprise deployments.
Access control
SSO (SAML 2.0, OIDC), role-based access control, audit trail on every admin and agent action.
Data residency
On-premise, private cloud (AWS/Azure/GCP), or sovereign cloud in PK, UAE, KSA. No cross-border transfer without consent.
PII handling
Automatic detection and redaction of PII in transcripts. Configurable retention. Right-to-erasure workflows.
SOC 2 Type II
Readiness assessment complete; Type II audit underway. Gap-analysis report available under NDA.
ISO 27001
Controls mapping complete. Formal certification planned alongside SOC 2.
HIPAA alignment
Architecture supports HIPAA technical safeguards for healthcare deployments. BAA available on request.
Regional data-protection law
Designed for PDPL (Pakistan), UAE Federal Decree-Law 45/2021, KSA PDPL, and GDPR / UK DPA.
PCI-DSS SAQ D
Platform architecture supports PCI scope isolation. Formal SAQ D attestation on the 2026 roadmap.
CSA STAR
Cloud Security Alliance STAR Level 2 submission planned following SOC 2 completion.
Uptime commitment
Enterprise deployments include a documented SLA in your Master Services Agreement (MSA):
- Business tier: 99.0% monthly uptime, credit on breach.
- Enterprise tier: 99.9% monthly uptime, RTO 4 hours, RPO 15 minutes.
- Mission-critical (custom): Active-active multi-region, 99.99% uptime target, executive-notified incident response.
Status and historical uptime are reported monthly to customers. Incidents affecting customer data are reported within 24 hours per the MSA.
Subprocessors
For website and marketing operations we rely on a short list of vendors. For enterprise platform deployments, the subprocessor list is defined in your deployment agreement — customer-hosted deployments have zero subprocessors.
| Subprocessor | Purpose | Data processed | Region |
|---|---|---|---|
| GitHub Pages | Website hosting | None (static site) | Global CDN |
| Formspree | Contact form delivery | Name, email, company, message | United States |
| Google Fonts | Typography | IP (for CDN) | Global CDN |
| Google Analytics 4 | Aggregate traffic analytics (consent-gated) | Anonymized usage, loaded only after consent | Global |
Responsible disclosure
We welcome security research. Report vulnerabilities to hello@poochoai.com. Machine-readable contact details follow RFC 9116 at /.well-known/security.txt. We ask for 30 days to triage and remediate before public disclosure.
Due-diligence documentation
Available under a mutual NDA:
- Data Processing Addendum (DPA) and Standard Contractual Clauses
- Security whitepaper and architecture diagrams
- Penetration test summary (most recent, annually refreshed)
- SOC 2 Type II readiness report
- BAA for HIPAA-scoped engagements
- Business Impact Analysis (BIA) and disaster-recovery runbook
- Employee security-awareness training records
We'll turn around due-diligence packets, RFP/RFI responses, and security questionnaires within 2 business days.