Security & compliance

Controller is you.
Processor is us.

Sorena never owns your data. Signed DPA. Customer-selected region. Country addenda for every market.

Five pillars

Every layer, documented.

Commitments we make in every master agreement. Evidence available under NDA.

01

Processor model

You remain the controller. We process under GDPR Article 28 and LGPD Article 37. We never use customer data to train shared models.

GDPR Art. 28 LGPD Art. 37 DPA signed pre-deployment
02

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest. Credentials in AWS Secrets Manager with 90-day rotation. Every Veeva pull audit-logged.

TLS 1.3 AES-256 KMS rotation · 90d
03

Data residency

Primary region sa-east-1 (São Paulo) for LATAM. Other regions on request. Sub-processor changes with 30 days' notice.

sa-east-1 default Region-locked 30-day notice
04

Model & AI controls

Powered by Claude (Anthropic) via AWS Bedrock. Every generated claim is grounded in specific rows and cited back. Alternative LLM providers available on request.

Customer-chosen LLM Cited outputs Zero training on your data
05

Operational maturity

Annual third-party penetration test. SOC 2 Type II scoped, certification targeted within 12 months.

Annual pen test SOC 2 Type II roadmap Uptime SLA per contract
SOC 2 Type II
In design · 2026
Controls designed to pass. Audit engaged. Interim attestation available under NDA.
LGPD
Aligned · Brazil
Mapped to Articles 6, 7, 37, 46. Country addendum in every Brazil deployment.
LFPDPPP
Aligned · Mexico
Privacy notice and addendum template ready. Cross-border transfer documented.
GDPR
Article 28 aligned
Legal baseline for our DPA. European deployments via eu-west-1 on request.
Due diligence

Need the full security pack?

DPA template, sub-processor list, architecture diagrams, pen test summary, and SOC 2 scope. Available under NDA.

Request security pack Read the DPA template