Skip to content
PCCVDI
Trust Center

Security

How we engineer, operate, and audit the controls that protect customer data and the systems we build.

Our posture

PCCVDI operates to SOC 2 Trust Services Criteria and ISO/IEC 27001:2022 controls. Our internal control set is maintained as a living management system, reviewed quarterly, and tested annually by an independent assessor. Specific attestation reports and audit summaries are available under NDA — email info@pccvdi.com with your request.

How we handle customer data

  • Encryption in transit. All customer data is exchanged over TLS 1.2+ with modern cipher suites. HTTP is redirected to HTTPS.
  • Encryption at rest. Customer data stored in our systems is encrypted using AES-256 with keys managed by a major cloud KMS.
  • Tenancy. Customer data is logically isolated; we do not co-mingle data across engagements unless explicitly authorised in writing.
  • Retention. Customer data is retained only for the duration agreed in the engagement contract, then securely deleted on request or contract end.
  • Sub-processors. A current list of sub-processors handling customer data is available on request and notified ahead of changes.

Access control

  • Least-privilege access by default; production access is role-based and time-bounded.
  • Multi-factor authentication is required for all internal systems.
  • Personnel access is granted on a need-to-know basis, reviewed quarterly, and revoked promptly on role change or departure.
  • Privileged actions are logged to an immutable audit store.

Application and infrastructure security

  • Code is reviewed and peer-approved before merge.
  • Continuous static analysis (SAST) and dependency vulnerability scanning run in CI.
  • Production systems are deployed via reproducible, immutable infrastructure-as-code.
  • Container images are scanned for known vulnerabilities before promotion.
  • External penetration testing is performed by an independent third party at least annually for production-facing services.

AI-specific security

For systems involving LLMs, agents, or other AI components, our standard security controls extend to:

  • Prompt injection and jailbreak testing against the OWASP LLM Top 10 and MITRE ATLAS catalogue.
  • Input and output filters for PII, secrets, and content-policy compliance.
  • Tool-call schema validation and authorisation gates for agentic systems.
  • Trace-level observability for AI decisions; replay supported for incident review.
  • Quarterly red-team campaigns for systems in continuous operation.

Incident response

We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. Incidents affecting customer data trigger a notification process consistent with applicable regulation and the engagement contract.

  • 24/7 on-call rotation for managed-service customers.
  • 4-hour triage SLA for high-severity events.
  • Root-cause review within 5 business days; remediation plan published.

Business continuity

Backup and disaster-recovery procedures are tested at least annually. Recovery time and recovery point objectives are documented per service tier and shared with managed-service customers as part of the SLA.

Reporting a vulnerability

If you believe you have identified a vulnerability in any PCCVDI-operated system, email info@pccvdi.com with the subject line “Security disclosure.” We respond within one business day and follow a coordinated disclosure process. Researchers acting in good faith will not face legal action.

Want the full attestation pack?

Detailed SOC 2 / ISO 27001 evidence, sub-processor lists, and questionnaire responses are available under NDA. Contact info@pccvdi.com and we will route the request to our security team.

Ready to start

Turn one AI use case into measurable production value.

Book a 30-minute consultation. We will walk through the use case, sketch the value case, and tell you honestly whether we can help.

Book a consultationSee all services