We use cookies to understand how this site is used. Privacy policy

    Skip to main content
    Kriv AI

    Trust & governance

    Security, Privacy & Compliance at Kriv AI.

    Designed for regulated, PHI- and PII-sensitive environments.

    We work with organizations who handle some of the most sensitive information in the world. Our approach to AI, automation, and data is anchored in security-by-design, privacy awareness, and practical governance, so your teams can innovate without losing control.

    This page describes our general approach and is not legal advice. Your internal policies, contracts, and regulatory obligations remain the final authority.

    Who This Page Is For & What It Covers

    Who This Is For

    • Technology leaders (CTO, VP Engineering)
    • Data leaders (CDO, Head of Data/Analytics)
    • Compliance, risk, privacy, and legal teams
    • Procurement and vendor review stakeholders

    What It Covers

    • Our security & privacy principles
    • How we think about PHI/PII and sensitive data
    • How we approach architectures in regulated environments
    • How we see shared responsibilities between Kriv AI and clients

    Details of specific implementations vary per engagement and are documented in project scopes and contracts.

    Our Core Security & Privacy Principles

    These principles guide every engagement and architecture decision we make.

    Regulated-First Mindset

    We assume that your data and workflows are regulated, sensitive, or business-critical by default, and we design accordingly.

    Minimum Necessary Access

    We seek to minimize the data, permissions, and scope required for a use case, especially when PHI/PII or confidential information is involved.

    Transparency Over Black Boxes

    We prefer architectures and patterns that can be explained, to your technical teams, leadership, and auditors.

    Shared Responsibility

    Security and compliance are shared between Kriv AI, your infrastructure, and the platforms we help you integrate. We aim to clarify who is responsible for what.

    We would rather say "no" to a risky design than push forward with something we aren't comfortable defending.

    Data, PHI/PII & Sensitive Information

    Many of our clients work with Protected Health Information (PHI), Personally Identifiable Information (PII), and other sensitive datasets. Our work is shaped around keeping that data controlled, minimized, and appropriately handled.

    Data Residency & Control

    Where possible, we prefer patterns where sensitive data stays within your controlled environment and infrastructure, aligned with your internal policies.

    PHI/PII Minimization

    We encourage designs that limit what sensitive data is sent to external services, use de-identification or pseudonymization where appropriate, and avoid storing more than is needed for the use case.

    Access Scoping

    We design workflows and integrations with scoped access, so a system can only see what it genuinely needs.

    Documentation & Data Flows

    We strive to document data flows at a high level: which systems are involved, what kinds of data move where, and why.

    For Compliance & Risk teams, see our dedicated page

    Architectures & Third-Party Tools

    How we think about cloud platforms, automations, and LLM providers at a high level.

    Cloud & Data Platforms

    We typically work within your chosen platforms such as:

    • Microsoft Azure and Microsoft 365
    • Databricks or Snowflake (if applicable)
    • Existing data warehouses, lakes, and BI tools

    We aim to align with your existing security controls, identity providers, and network boundaries.

    Automation & AI Tools

    We may help you integrate or orchestrate tools like:

    • Power Automate
    • Zapier (we are a Zapier Silver Solution Partner)
    • n8n
    • LLM and embedding providers (e.g., Azure OpenAI, other enterprise-grade providers)

    Our focus is on scoped tokens and keys, minimizing data sent to external APIs, and clear logs where feasible.

    Exact tools and configurations are always reviewed with your technical and security teams during each engagement.

    Identity, Access & Environment

    We aim to work inside your identity and access standards wherever possible, rather than inventing parallel permission systems.

    Customer Identity Systems First

    We prefer to leverage your existing identity providers and access controls (e.g., SSO, RBAC) for systems we help design.

    Scoped Access for Kriv AI

    When we require access to systems or environments, we aim for least privilege, time-bound or project-bound access, and clear ownership of credentials and accounts.

    Environment Separation

    We encourage clear separation of development, testing, and production environments for AI and automation workloads.

    The exact setup will depend on your existing architecture and policies.

    Logging, Monitoring & Incidents

    Practical approaches to observability and incident handling.

    Encouraging Meaningful Logging

    We support patterns where key actions, decisions, and workflow events can be logged in systems your teams control.

    Observability for AI & Automations

    Where feasible, we recommend observability patterns that help your teams monitor performance and usage, detect unexpected behaviors, and review outputs where appropriate.

    Incident Response is a Shared Responsibility

    We expect that incident detection, response, and reporting will follow your organization's policies. We can assist by helping you understand where AI/automation is present and providing context on system behavior and design.

    Nothing on this page supersedes your formal incident response and security policies.

    Compliance & Governance Alignment

    We are not a certification body or law firm, and we do not claim regulatory certifications on your behalf. Instead, we design with widely recognized frameworks and obligations in mind and work closely with your teams.

    Healthcare & PHI Contexts

    In healthcare and related environments, we aim to support your efforts to meet obligations under frameworks such as HIPAA and related regulations, as interpreted by your legal and compliance teams.

    Data Protection & Privacy

    We design with privacy-by-default thinking and expect that formal interpretations of laws (e.g., GDPR, regional privacy laws) come from your organization's legal counsel.

    AI Governance Frameworks

    Our AI Readiness & Governance work is informed by emerging governance frameworks (such as NIST AI Risk Management concepts) and customized to your context.

    Shared Responsibility: You, Kriv AI, and Your Platforms

    We believe in being explicit about who owns what. Security, privacy, and compliance for AI systems typically involve three layers: your organization, Kriv AI's work, and the platforms and tools we help you use.

    Your Organization Typically Owns

    • Internal policies and standards
    • Identity and access management
    • Infrastructure configuration and network security
    • Final decisions on acceptable risk and deployment

    Kriv AI Typically Owns

    • Design and implementation of AI workflows and automations we build
    • Recommendations on patterns, guardrails, and governance approaches
    • Documentation of our designs and assumptions

    Platform / Vendor Responsibilities

    • Security of cloud and SaaS platforms according to their own commitments
    • Underlying infrastructure of managed services (e.g., Azure, Databricks, etc.)
    • Contractual and compliance assurances you have with those vendors

    Exact responsibilities are finalized in contracts and statements of work for each engagement.

    Straight answers

    Security, privacy & compliance questions.

    Is this page a legal or compliance document?

    No. It describes how we generally approach security, privacy, and governance. Your formal obligations are defined by your own policies, contracts, and regulations as interpreted by your legal and compliance teams.

    Do you store our data?

    Our goal is to design solutions where sensitive data remains in your environment whenever possible. When data handling is needed as part of a project, the details are documented and agreed in the specific scope and contracts.

    Can you work within our existing security and compliance frameworks?

    Yes. We expect to align with your security policies, data classification schemes, and compliance processes rather than replacing them.

    How do you handle PHI/PII in AI projects?

    We assume PHI/PII constraints from the start, emphasize minimization, and prefer architectures where sensitive data is controlled within your environment and exposed to AI components in limited, auditable ways.

    Do you provide audit-ready documentation?

    We can produce high-level diagrams, descriptions, and notes that help your teams explain system behavior, data flows, and controls. Formal audit artifacts are usually prepared by your internal teams using this material as input.

    Are you certified for specific regulations (e.g., HIPAA, SOC 2, ISO)?

    We do not make blanket claims about certifications on this page. Where relevant, certifications or attestations will be communicated directly during vendor review or contracting.

    Can you review our existing AI/automation for risk?

    Yes. As part of an AI Readiness & Governance engagement, we can help you assess existing AI, automation, and data flows and recommend improvements.

    How do we involve our compliance and security teams?

    We recommend involving them early. We're comfortable joining sessions with your compliance, risk, legal, and security stakeholders to align on constraints and expectations.

    Start here

    Want AI your security & compliance teams can stand behind?

    If you're exploring AI or agentic automation in a regulated environment, we'll walk through practical options with your technical, data, and compliance stakeholders together.

    Or write to us first

    +1-732-433-5564 · info@kriv.ai · East Brunswick, NJ

    “A massive time saver.”
    , Senior Engineer, multi-billion-dollar distribution enterprise (2,000+ associates)

    Flagship engagement, 2025, 2,000+ associates · 122 locations. From kickoff to independently productive engineers in 3 weeks.