Compliance is not a product PCCVDI sells — it is the operating posture our delivery is built around. Below is what our engagements align with, what evidence is available, and where we can take you further with a certified third-party assessor if your procurement requires it.
EU AI Act
We design AI systems to be classifiable, documentable, and operable under the EU AI Act. Specifically:
- Every system is risk-classified (prohibited, high, limited, minimal) with written reasoning at the start of the engagement.
- High-risk systems are accompanied by a technical file, risk-management documentation, data-governance evidence, and logging sufficient to reconstruct any individual decision.
- Human-oversight architecture is designed into the product, not retrofitted.
- Post-market monitoring and the conformity-assessment process are documented for each high-risk system.
For background on the obligations, see our public guide: The 2026 EU AI Act compliance checklist for non-EU companies.
ISO/IEC 42001 (AI Management Systems)
PCCVDI operates to the requirements of ISO/IEC 42001:2023, the international management-system standard for AI. Our management system covers AI policy, risk management, controls, monitoring, and improvement. Customers running their own ISO 42001 programs can map our delivery evidence directly to clauses 4 through 10 of the standard.
NIST AI Risk Management Framework
Our delivery practices align with the four functions of the NIST AI RMF — Govern, Map, Measure, and Manage. We supply customers with the artefacts needed to satisfy each function for the systems we deliver, including context analysis, impact assessment, performance evaluation, and monitoring plans.
SOC 2 and ISO/IEC 27001 (Information Security)
Our security posture operates to SOC 2 Trust Services Criteria and ISO/IEC 27001:2022 controls. See the Security page for the operational detail. Attestation evidence is available under NDA.
GDPR (EU General Data Protection Regulation)
For engagements involving personal data of EU data subjects, we operate as a data processor under written instructions from the customer (data controller). Standard processing terms include:
- Documented lawful basis confirmation before processing.
- Standard contractual clauses for any international data transfers where required.
- Data subject rights support (access, rectification, erasure, portability) handled within statutory time limits.
- Personal data breach notification within 72 hours of awareness.
- Data Protection Impact Assessments (DPIAs) supported for high-risk processing.
India DPDP (Digital Personal Data Protection Act 2023)
For engagements involving personal data of Indian data principals, we support the customer’s obligations as a Data Fiduciary, including consent management, purpose limitation, notice, and data-principal-rights workflows. Cross-border data transfers are handled in line with current MEITY notifications.
Sectoral regimes
For regulated sectors we map our delivery to additional applicable standards on a per-engagement basis. Common ones include:
- Financial services: SR 11-7 (US model risk management), PRA SS1/23 (UK), and EU EBA guidelines on model risk.
- Healthcare: HIPAA Security Rule (US), MDR/IVDR (EU) where AI is part of a medical device, and FDA SaMD guidance.
- Public sector: FedRAMP, IL4/IL5 expectations, jurisdictional AI guidance (UK Algorithmic Transparency Standard, Canada Directive on Automated Decision-Making, etc.).
Requesting the audit pack
For procurement and audit-team requests, email info@pccvdi.com. We respond within one business day with the appropriate evidence under NDA — typical packs include security questionnaire responses, attestation summaries, policy excerpts, and architecture documentation as applicable.