CreateOS

Security is the Product, Not a Setting

CreateOS governs every request before it reaches a model and validates every response before it reaches a user. Sovereign, zero data retention, secure from the first call.

Book a demoTalk to security
  • ISO 27001 certified
  • SOC 2 Type II certified
  • Zero data retention
  • No training on your data

Controls on Every Request and Every Response

Policy gateRedact PIIRequestFrom a user or systemReasonGrounded in your dataResponseCited, in your appEvery request and response is logged, cited, and auditable.
001

Governed inference

Prompt-injection checks, policy validation, and access controls run before the model sees a request.

002

Output validation

Hallucination checks, PII masking, and content filtering run before any response reaches a user.

003

Zero data retention

Prompts and documents are processed in-session. Nothing is stored by default.

004

Full audit trail

Every call is logged with execution traces and SOC visibility across agents and workflows.

005

Sovereign deployment

Run in CreateOS cloud, your VPC, or fully on-prem. Region-aware compute, no cross-border exposure.

006

No training on your data

Your prompts, documents, and outputs are never used to train models, ours or a provider's.

Built to the Standards Regulated Enterprises Require

Certified

ISO 27001

Information security management certified to the global standard.

Certified

SOC 2 Type II

Independently verified controls for enterprise data protection.

Privacy

Zero Data Retention

In-session processing. Nothing stored by default.

Residency

Sovereign Infrastructure

Region-aware compute with no cross-border data exposure.

Where Your Data Lives and How It Moves

Encrypted in transit and at rest

TLS in transit, AES-256 at rest, across every deployment mode.

Region residency

Pin processing to a region. No cross-border data exposure.

Access controls

SAML/SSO, role-based access, and per-team scoping on every workflow.

Subprocessor transparency

A current list of subprocessors and a DPA are available on request.

Report a Vulnerability

We welcome reports from security researchers. If you believe you have found a vulnerability, email the details to our security team. We acknowledge within two business days and work with you on a fix. We support safe harbor for good-faith research.

[email protected]

Security Questions, Answered

Do you train models on our data?

No. Your prompts, documents, and outputs are never used to train CreateOS models or any provider's models. Data is processed in-session and not retained by default.

Where is our data processed?

You choose. CreateOS runs in our cloud, inside your VPC, or fully on-premise. Compute is region-aware, so you can pin processing to a region with no cross-border exposure.

What certifications do you hold?

We are ISO 27001 and SOC 2 Type II certified. We can share reports and controls documentation under NDA. We operate on zero-data-retention, sovereign infrastructure.

How do you handle PII?

Output validation masks PII and filters content before any response reaches a user. You can configure policies per workflow and per team.

Can we use our own SSO and access controls?

Yes. CreateOS supports SAML/SSO and role-based access controls, scoped per team and per workflow.

Can we get a DPA and subprocessor list?

Yes. A Data Processing Agreement and a current subprocessor list are available on request. Email [email protected].

Give Us One Stuck Pilot.

We'll have it in governed production before your next board meeting.

Book a demo[email protected]
HTTPS · createos.sh
← Home