Trust & governance
Security, Privacy & Compliance at Kriv AI.
Designed for regulated, PHI- and PII-sensitive environments.
We work with organizations who handle some of the most sensitive information in the world. Our approach to AI, automation, and data is anchored in security-by-design, privacy awareness, and practical governance, so your teams can innovate without losing control.
This page describes our general approach and is not legal advice. Your internal policies, contracts, and regulatory obligations remain the final authority.
Who This Page Is For & What It Covers
Who This Is For
- •Technology leaders (CTO, VP Engineering)
- •Data leaders (CDO, Head of Data/Analytics)
- •Compliance, risk, privacy, and legal teams
- •Procurement and vendor review stakeholders
What It Covers
- •Our security & privacy principles
- •How we think about PHI/PII and sensitive data
- •How we approach architectures in regulated environments
- •How we see shared responsibilities between Kriv AI and clients
Details of specific implementations vary per engagement and are documented in project scopes and contracts.
Our Core Security & Privacy Principles
These principles guide every engagement and architecture decision we make.
Regulated-First Mindset
We assume that your data and workflows are regulated, sensitive, or business-critical by default, and we design accordingly.
Minimum Necessary Access
We seek to minimize the data, permissions, and scope required for a use case, especially when PHI/PII or confidential information is involved.
Transparency Over Black Boxes
We prefer architectures and patterns that can be explained, to your technical teams, leadership, and auditors.
Shared Responsibility
Security and compliance are shared between Kriv AI, your infrastructure, and the platforms we help you integrate. We aim to clarify who is responsible for what.
We would rather say "no" to a risky design than push forward with something we aren't comfortable defending.
Data, PHI/PII & Sensitive Information
Many of our clients work with Protected Health Information (PHI), Personally Identifiable Information (PII), and other sensitive datasets. Our work is shaped around keeping that data controlled, minimized, and appropriately handled.
Data Residency & Control
Where possible, we prefer patterns where sensitive data stays within your controlled environment and infrastructure, aligned with your internal policies.
PHI/PII Minimization
We encourage designs that limit what sensitive data is sent to external services, use de-identification or pseudonymization where appropriate, and avoid storing more than is needed for the use case.
Access Scoping
We design workflows and integrations with scoped access, so a system can only see what it genuinely needs.
Documentation & Data Flows
We strive to document data flows at a high level: which systems are involved, what kinds of data move where, and why.
Architectures & Third-Party Tools
How we think about cloud platforms, automations, and LLM providers at a high level.
Cloud & Data Platforms
We typically work within your chosen platforms such as:
- •Microsoft Azure and Microsoft 365
- •Databricks or Snowflake (if applicable)
- •Existing data warehouses, lakes, and BI tools
We aim to align with your existing security controls, identity providers, and network boundaries.
Automation & AI Tools
We may help you integrate or orchestrate tools like:
- •Power Automate
- •Zapier (we are a Zapier Silver Solution Partner)
- •n8n
- •LLM and embedding providers (e.g., Azure OpenAI, other enterprise-grade providers)
Our focus is on scoped tokens and keys, minimizing data sent to external APIs, and clear logs where feasible.
Exact tools and configurations are always reviewed with your technical and security teams during each engagement.
Identity, Access & Environment
We aim to work inside your identity and access standards wherever possible, rather than inventing parallel permission systems.
Customer Identity Systems First
We prefer to leverage your existing identity providers and access controls (e.g., SSO, RBAC) for systems we help design.
Scoped Access for Kriv AI
When we require access to systems or environments, we aim for least privilege, time-bound or project-bound access, and clear ownership of credentials and accounts.
Environment Separation
We encourage clear separation of development, testing, and production environments for AI and automation workloads.
The exact setup will depend on your existing architecture and policies.
Logging, Monitoring & Incidents
Practical approaches to observability and incident handling.
Encouraging Meaningful Logging
We support patterns where key actions, decisions, and workflow events can be logged in systems your teams control.
Observability for AI & Automations
Where feasible, we recommend observability patterns that help your teams monitor performance and usage, detect unexpected behaviors, and review outputs where appropriate.
Incident Response is a Shared Responsibility
We expect that incident detection, response, and reporting will follow your organization's policies. We can assist by helping you understand where AI/automation is present and providing context on system behavior and design.
Nothing on this page supersedes your formal incident response and security policies.
Compliance & Governance Alignment
We are not a certification body or law firm, and we do not claim regulatory certifications on your behalf. Instead, we design with widely recognized frameworks and obligations in mind and work closely with your teams.
Healthcare & PHI Contexts
In healthcare and related environments, we aim to support your efforts to meet obligations under frameworks such as HIPAA and related regulations, as interpreted by your legal and compliance teams.
Data Protection & Privacy
We design with privacy-by-default thinking and expect that formal interpretations of laws (e.g., GDPR, regional privacy laws) come from your organization's legal counsel.
AI Governance Frameworks
Our AI Readiness & Governance work is informed by emerging governance frameworks (such as NIST AI Risk Management concepts) and customized to your context.
Shared Responsibility: You, Kriv AI, and Your Platforms
We believe in being explicit about who owns what. Security, privacy, and compliance for AI systems typically involve three layers: your organization, Kriv AI's work, and the platforms and tools we help you use.
Your Organization Typically Owns
- •Internal policies and standards
- •Identity and access management
- •Infrastructure configuration and network security
- •Final decisions on acceptable risk and deployment
Kriv AI Typically Owns
- •Design and implementation of AI workflows and automations we build
- •Recommendations on patterns, guardrails, and governance approaches
- •Documentation of our designs and assumptions
Platform / Vendor Responsibilities
- •Security of cloud and SaaS platforms according to their own commitments
- •Underlying infrastructure of managed services (e.g., Azure, Databricks, etc.)
- •Contractual and compliance assurances you have with those vendors
Exact responsibilities are finalized in contracts and statements of work for each engagement.
Straight answers
Security, privacy & compliance questions.
Is this page a legal or compliance document?
No. It describes how we generally approach security, privacy, and governance. Your formal obligations are defined by your own policies, contracts, and regulations as interpreted by your legal and compliance teams.
Do you store our data?
Our goal is to design solutions where sensitive data remains in your environment whenever possible. When data handling is needed as part of a project, the details are documented and agreed in the specific scope and contracts.
Can you work within our existing security and compliance frameworks?
Yes. We expect to align with your security policies, data classification schemes, and compliance processes rather than replacing them.
How do you handle PHI/PII in AI projects?
We assume PHI/PII constraints from the start, emphasize minimization, and prefer architectures where sensitive data is controlled within your environment and exposed to AI components in limited, auditable ways.
Do you provide audit-ready documentation?
We can produce high-level diagrams, descriptions, and notes that help your teams explain system behavior, data flows, and controls. Formal audit artifacts are usually prepared by your internal teams using this material as input.
Are you certified for specific regulations (e.g., HIPAA, SOC 2, ISO)?
We do not make blanket claims about certifications on this page. Where relevant, certifications or attestations will be communicated directly during vendor review or contracting.
Can you review our existing AI/automation for risk?
Yes. As part of an AI Readiness & Governance engagement, we can help you assess existing AI, automation, and data flows and recommend improvements.
How do we involve our compliance and security teams?
We recommend involving them early. We're comfortable joining sessions with your compliance, risk, legal, and security stakeholders to align on constraints and expectations.
Start here
Want AI your security & compliance teams can stand behind?
If you're exploring AI or agentic automation in a regulated environment, we'll walk through practical options with your technical, data, and compliance stakeholders together.
+1-732-433-5564 · info@kriv.ai · East Brunswick, NJ
“A massive time saver.”
Flagship engagement, 2025, 2,000+ associates · 122 locations. From kickoff to independently productive engineers in 3 weeks.
