Trust Center

Security & Compliance

Pretense is built security-first. Here's the evidence.

Responsible Disclosure Policy security@pretense.ai Request Security Review

Compliance Status

Last updated: April 2026. Status reflects current posture; certifications in progress are backed by third-party auditors.

SOC 2 Type IIIn Progress — Audit Q3 2026

Our controls framework is complete. Formal audit engagement begins Q3 2026 with Drata as our compliance platform.

HIPAACompliant by Design

PHI never processed by Pretense. Mutation happens before any external transmission — your clinical identifiers never leave your network.

GDPRCompliant

No EU personal data stored on Pretense infrastructure. Local-first architecture means data stays within your jurisdiction.

ISO 27001Controls Aligned

Security policy mapped to ISO 27001:2022 control domains. Formal certification roadmap follows SOC 2 Type II.

FedRAMPRoadmap Q4 2026

Planned for government customers requiring FedRAMP authorization. Architecture review underway to scope control gaps.

CCPACompliant

No consumer PII collected or sold. Pretense does not build user profiles, run analytics on code content, or monetize data.

Why Local-First Is More Secure

Cloud-based DLP solutions proxy your code through vendor infrastructure. Pretense does not. The mutation engine runs on your machine or within your network perimeter.

// Data flow — your identifiers never leave your machine

[Your Code]plain identifiers, secrets, PII

[Pretense Proxy (local)] localhost:9339

scan -> mutate -> audit log (no content)

[Mutated Code] patient_id -> pt_9a4f, api_key -> ak_7x2m

[LLM API] OpenAI / Anthropic / Gemini

[Response] reverse-mutated on return

Your actual identifiers never leave your machine. Pretense infrastructure is not in the data path.

End-to-end mutation

Identifiers are replaced before any bytes leave your machine. The AI provider receives only opaque tokens.

Zero external storage

Pretense infrastructure never stores code, prompts, or mutation maps. Nothing persists outside your environment.

Deterministic reversal

The same input always produces the same mutation. Round-trip restoration is byte-perfect and verifiable.

Audit trail

Every scan, mutation, and reversal is logged to a local tamper-evident SQLite store with cryptographic timestamps.

No telemetry

Zero usage analytics, no crash reporting, no call-home. The proxy is air-gap compatible by design.

Penetration Test Summary

Self-assessment conducted March 2026. External third-party pentest scheduled Q3 2026 concurrent with SOC 2 audit.

Test Area	Status	Last Tested	Finding
Proxy HTTP injection	Pass	Mar 2026	No vulnerabilities found
Secret pattern bypass	Pass	Mar 2026	All 30+ patterns covered
Mutation reversal	Pass	Mar 2026	100% round-trip verified
Rate limiting	Pass	Mar 2026	Sliding window effective
CSP headers	Pass	Mar 2026	Grade A on securityheaders.com

Compliance Downloads

Documents available immediately. No form required for overview documents. DPA requests can also be sent to legal@pretense.ai.

Security Overview

2-page summary for CISO review

Download

Architecture Whitepaper

Technical deep-dive on mutation engine

Download

Data Processing Agreement

GDPR/CCPA DPA template

Download

Penetration Test Summary

Self-assessment results, Mar 2026

Download

Responsible Disclosure

Found a vulnerability? We pay bounties.

Security Contact

security@pretense.ai

Direct contact preferred for coordinated disclosure.

PGP Key

Email security@pretense.ai to request our PGP public key for encrypted disclosure.

Response SLA

Critical: 24 hours
High: 72 hours
Medium/Low: 72 hours

Full Disclosure Policy

Enterprise Security Review

Enterprise customers can request a signed DPA, security questionnaire responses (CAIQ, SIG Lite, custom), architecture review calls with our security team, and early access to the SOC 2 Type II report upon completion.

Request security review security@pretense.ai