Clustral AI Labs builds and runs AI systems for enterprises in regulated industries. That obligates us to a level of operational discipline that we publish openly here, not as marketing language but as something procurement, InfoSec and DPOs can verify before signing.
1. Frameworks we align to
Every engagement is engineered against the following frameworks, with the applicability matrix and evidence pack determined in the SOW:
- ISO/IEC 42001:2023 — AI management system standard (the most relevant standard for enterprise AI today).
- NIST AI Risk Management Framework (Govern · Map · Measure · Manage).
- EU AI Act — Regulation (EU) 2024/1689, including Annex III high-risk categories and Art. 5 prohibited practices.
- ISO/IEC 27001 · 27701 · 27018 — Information security, privacy information management, public-cloud PII.
- OECD AI Principles — 50+ jurisdictions reference these as their baseline.
- Singapore Model AI Governance Framework · AI Verify Foundation.
- India DPDP Act, 2023 · EU/UK GDPR · CCPA / CPRA · LGPD · PIPEDA.
- Sector overlays: HIPAA · FDA SaMD · EU MDR · OMB M-24-10 · CoE AI Convention · EEOC · NYC AEDT · MAS FEAT · RBI SR 11-7-equivalent.
2. Compliance roadmap
We publish our certification posture transparently — including where we are not yet certified — because for AI buyers the trajectory matters as much as the current state.
| Control | Status | Target |
|---|---|---|
| ISO/IEC 42001 — AI management system, statement of applicability | Implemented (self-attested) | External certification: Q3 2026 |
| ISO/IEC 27001 — Information security management | In preparation | Stage-1 audit: Q4 2026 |
| SOC 2 Type I | In preparation | Report: Q3 2026 |
| SOC 2 Type II | Planned | Report: Q1 2027 |
| GDPR Art. 30 records · Art. 28 DPA template | Available on request | Public download: Q3 2026 |
| DPDP Act 2023 — Data Fiduciary registration (when notified) | Tracking notification | Within 30 days of MeitY notification |
| EU AI Act conformity packs (per high-risk Annex III category) | Templates ready | Customer-specific per engagement |
3. Security controls in production
- Transit encryption. TLS 1.2+ on all public endpoints. HSTS with 2-year max-age and preload eligibility.
- At-rest encryption. AES-256 via the cloud provider's managed keys. Customer-managed keys (CMK / BYOK) supported on request.
- Least-privilege access. Role-based and attribute-based access control. No shared accounts. MFA enforced on all admin paths.
- Audit-trail logging. Every inference and admin action is logged with timestamp, principal, and decision; logs are immutable for the retention period agreed in the SOW.
- Secret management. Cloud-native secret store with rotation; no secrets in source code or build artifacts.
- Vulnerability management. Continuous SCA on dependencies, monthly patching cadence, public disclosure process below.
- Backup & recovery. Documented RPO / RTO per workload, tested at least annually.
- Incident response. Documented playbook, named on-call, 72-hour breach notification commitment per GDPR Art. 33 and equivalent under DPDP Section 8(6).
4. Sub-processors
The third parties that process personal data on our behalf are listed here. Material changes are notified at least 30 days in advance to active customers.
| Sub-processor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Microsoft Azure | Hosting · Storage · compute for our web app and customer workloads (when in-scope) | Central India · global | Microsoft DPA + EU SCCs |
| Cloudflare, Inc. | DNS · WAF · CDN · bot protection (Turnstile) for the public website | Global | Cloudflare DPA + EU SCCs |
| Resend, Inc. | Transactional email delivery for contact-form submissions | United States | Resend DPA + EU SCCs |
| OpenRouter Inc. | LLM inference for the AI Risk Compass (free-tier proxy to multiple model providers) | United States | OpenRouter Terms (free tier) |
| Odoo S.A. | CRM lead management (Odoo Online tenant) | Belgium | Odoo DPA + EU SCCs |
| GitHub, Inc. | Source-code hosting, CI/CD via GitHub Actions | United States | GitHub DPA + EU SCCs |
5. Data protection commitments
- Role. We act as Data Processor for Personal Data processed in connection with a customer engagement; as Data Controller / Data Fiduciary for personal data collected via this website (see Privacy Notice).
- DPA template. Our Data Processing Addendum (Article 28 GDPR / DPDP Section 8) is available on request and pre-signed for execution by qualified counterparties.
- Cross-border transfers. EU/UK personal data transfers rely on EU Standard Contractual Clauses (2021/914) and the UK IDTA. DPDP cross-border transfers operate within the framework of Section 16 of the Act.
- Data minimisation. We collect only what is required. IP addresses, when logged, are stored as a salted SHA-256 hash for abuse prevention — not in raw form.
- Data Subject / Data Principal rights. Access, correction, erasure, portability and objection requests honoured within the statutory timeframe of the applicable law. Request channel: privacy@clustralai.com.
- Retention. Inference logs and audit trails retained for the period stated in the SOW; default 12 months for security logs, 24 months for marketing-leads, 7 years for accounting records.
6. AI-specific governance
- No training on Client Data. Client data is never used to train models for any party other than the Client without explicit prior written consent.
- Model risk management. Evals, fairness testing, bias monitoring, and adversarial robustness testing form part of every release, scaled to the risk class.
- Human-in-the-loop. Required for any irreversible or rights-affecting action — never optional in regulated contexts.
- Refusal training. All Generative AI surfaces ship with a documented out-of-policy refusal path.
- Foundation-model dependencies. Disclosed in the technical file; substitutable on customer request where the licence permits.
7. Vulnerability disclosure
We welcome reports of security issues. Email security@clustralai.com with a description, reproduction steps and, if possible, a recommended fix. We aim to acknowledge within 48 hours and to fix or mitigate critical issues within 7 days. Responsible disclosure rules: please do not access, modify or destroy data; do not disrupt the service; and give us reasonable time to remediate before any public disclosure.
8. Contact
Clustral AI Labs Pvt. Ltd.
Security: security@clustralai.com
Privacy: privacy@clustralai.com
Business: business@clustralai.com
This page summarises our current security and compliance posture for prospective and existing customers. It is not a contract; binding terms are set out in the executed MSA + SOW + DPA. For the formal customer-facing trust assessment (security questionnaire responses, penetration-test summaries, DPA execution copies) please contact security@clustralai.com from a verified corporate email.