Platform · Security & Trust

Trust by design.Audit by default.

Every prompt, every tool call, every reviewer decision — captured server-side, encrypted, region-scoped, and ready for your auditor before you ship.

Pryme Intelligence is built for the buyer whose regulator will read the logs. Controls, residency, identity, and governance are not features bolted on. They are the substrate every agent runs on.

Download the Trust Pack Talk to our security team

Pryme Intelligence audit-log and governance stream

SOC 2 Type IIISO 27001GDPRHIPAA-readyRegional residency

The trust foundation

Most AI vendors bolt security on. Pryme Intelligence starts there.

Generic AI platforms ask you to trust the model. Pryme Intelligence asks you to trust the evidence. Every agent runs inside a governance rail that records what was asked, what was retrieved, what was decided, and who approved it before any output reaches a customer, colleague, or regulator.

That foundation lets Pryme Intelligence deploy into regulated environments without asking buyers to lower their standards. The same rail protects a 12-person fintech and a national-scale public service team. There is no separate enterprise trust tier.

Evidence first

Generic AI platforms ask you to trust the model. Pryme Intelligence asks you to trust the evidence.

One rail for every customer

There is no separate enterprise trust tier. Every customer gets the full governance rail from day one.

Built for review

The buyer who signs off on Pryme Intelligence can defend the choice to a CISO, auditor, regulator, or internal review board.

Four pillars

Four control families. One unified rail.

Protect

Encrypt everything. Isolate everything. Keep data where you said it would be.

• AES-256 encryption at rest and TLS 1.3 in transit.
• Tenant isolation at the data, compute, and network layer.
• Region-scoped deployment by default with sovereign deployment for higher-classification workloads.

Govern

Every action passes through the governance rail before it ships.

• Policy gates on inputs and outputs, including PII, prompt-injection, and jurisdictional controls.
• Reviewer gates anywhere a regulator, contract, or your own risk appetite requires a human checkpoint.
• Role-based access across agent, knowledge base, tool, and deployment surface.

Prove

Server-authored audit trail. Immutable. Replayable. Exportable.

• Every prompt, retrieval, tool call, response, and reviewer decision logged on the server.
• Replay any historical interaction with the original context, model version, and policy state.
• Continuous SIEM export and time-bound evidence packs for auditors and regulators.

Respond

Detect fast. Contain faster. Communicate honestly.

• 24/7 monitoring and tested incident-response runbooks.
• Customer notification within 24 hours of confirmed material incident.
• Coordinated vulnerability disclosure with a named security contact.

The differentiator

Where other platforms have prompts, Pryme Intelligence has a rail.

The governance rail sits between the model and the world. Nothing skips it. No debug path, no admin bypass, no unlogged side door.

Every interaction is decomposed into stages, each with its own enforcement point and evidence capture. Most platforms log the response. Pryme Intelligence logs the chain. That is the difference between “the agent said X” and “here is the full reasoning, retrieval, policy, and approval path that produced X.”

Intake

Request is normalised, source is verified, session is mapped, and authentication is confirmed before anything runs.

Policy evaluation (input)

PII, prompt-injection, jurisdictional checks, and other classifiers run before the request proceeds.

Knowledge retrieval

Only knowledge bases the user is entitled to are queried, and the retrieval scope is logged chunk by chunk.

Tool authorisation

Every tool call is checked against the agent permission set before execution; high-impact actions can require a reviewer signature.

Model invocation

Model version, system prompt, parameters, and full context are captured before any post-processing happens.

Policy evaluation (output)

Outputs are screened for hallucination, banned content, and fact-class violations before delivery.

Reviewer gate

If the certification state or policy requires it, a named human reviewer must approve before delivery.

Delivery

The final output is delivered to the surface and the full chain is sealed as one immutable record.

The evidence layer

If your auditor walks in tomorrow, you can answer in minutes, not weeks.

The audit trail is authored on the server, not the client. The same record is visible to your reviewer in the Workspace, your SIEM team in their tool, and your auditor in an export.

Replay any historical interaction with the original context, model version, and policy state.

Export continuously to Splunk, Sentinel, Datadog, Elastic, or a generic SIEM feed.

Retention can be configured by workspace policy, with machine-readable export on demand.

Chain-of-custody is designed to make tampering detectable rather than merely discouraged.

Identity

Authenticated user, agent, deployment surface, session, IP, and device fingerprint.

Context

Prompt as received, system prompt as active, model version, parameters, and policy state.

Retrieval

Every knowledge chunk surfaced, its source document, version, and entitlement check.

Tool activity

Every tool invoked, the parameters passed, the response received, and the authorisation that allowed it.

Model output

Raw model output before post-processing, with token counts and latency.

Policy decisions

Every gate the request passed through, what it evaluated, and what it decided.

Reviewer decisions

Reviewer identity, decision, timestamp, rationale, and any edits or redactions made.

Delivery

Where the output landed, who received it, and confirmation that it shipped.

Compliance and certifications

Certified where it counts. Aligned where it doesn’t yet exist.

Framework

Status

What it covers

SOC 2 Type II

Live

Independent audit of security, availability, confidentiality, and processing-integrity controls.

ISO/IEC 27001

Live

Information security management system certification covering controls, risk treatment, and continuous improvement.

ISO/IEC 27701

Live

Privacy information management extending 27001 with controller and processor obligations.

GDPR

Aligned

Lawful basis workflows, data subject rights handling, DPA coverage, and EU residency options.

HIPAA

Ready

BAA availability plus PHI-handling controls, audit trail, and reviewer gates for healthcare workspaces.

PCI DSS

Aligned

Segmentation, encryption, and access control aligned to PCI v4.0, with token-reference handling.

FedRAMP Moderate

In progress — Q3 2026 target

Authorisation pursuit for US federal workloads; pre-authorisation sovereign pilots accepted.

IRAP / PSPF

In progress

Assessment against Australian public-sector security expectations with sovereign deployment support.

UK G-Cloud

Live

Available to UK public-sector buyers through the standard procurement framework.

EU AI Act

Aligned

Risk classification, technical documentation, transparency disclosures, and human-oversight controls.

NIST AI RMF

Aligned

Govern, Map, Measure, and Manage functions mapped to platform controls.

Data handling and residency

Your data stays where you tell it to stay.

Residency is part of the operating model, not a loose preference. The rule is simple: data stays inside the region and boundary you approved.

Default residency is the region you choose at workspace creation, and customer data stays inside that region.

Available regions include the United States, European Union, United Kingdom, Australia, and Canada.

Sovereign deployment runs Pryme Intelligence inside customer-controlled environments for higher-classification workloads.

We do not move customer data across regions for capacity or operational convenience.

Customer prompts, knowledge bases, retrievals, and outputs are never used to train Pryme Intelligence or upstream models.

The Trust Portal

Everything your security team needs, without a sales gate in the way.

The point of the Trust Portal is simple: put the evidence one click away so security review moves in days, not weeks.

Certifications and reports

SOC 2, ISO certificates, pen-test summary, and current attestation documents in one place.

Policy library

Pre-filled questionnaires

CAIQ, SIG Lite, SIG Core, and VSAQ answers prepared and dated for security teams.

Control mappings

NIST CSF, NIST AI RMF, ISO 27002, CIS Controls, and EU AI Act documentation pack.

Architecture diagrams

Data flow, deployment topology, and key-management views suitable for internal review boards.

Status and sub-processors

Live operational status, sub-processor locations, certifications, and change-notification process.

Open Trust Portal

Comparison

Where buyers compare us, and what they actually find.

Capability

Pryme

DIY on a model API

Generic agent platforms

Server-authored audit trail covering prompt → retrieval → tool → output → reviewer

Built in to every interaction and cryptographically chained.

Usually application logs you build yourself and can lose.

Often limited to chat transcripts, with tool calls and policy decisions missing.

Reviewer gates as a first-class control

Native, configurable per agent, use case, and surface.

Not provided unless you design and maintain your own approval system.

Usually presented as workflow approvals, not as a core governance primitive.

Region-scoped deployment with sovereign option

Default by region with sovereign and air-gapped options.

Constrained by your model provider’s region availability.

Often a limited shared-region menu.

Contractual no-training-on-your-data commitment

Contractual and propagated through sub-processors.

Depends entirely on provider terms.

Varies by vendor and is often opt-out rather than default.

Pre-filled CAIQ / SIG / VSAQ

Prepared inside the Trust Portal with one-step access.

Not available.

Usually gated behind sales-qualified leads.

Replay any historical interaction with original context and policy state

Built in for any record still in retention.

Not available unless you build it yourself.

Rarely available in practice.

Trust isn’t a tier. Every customer gets the full rail.

Whether you’re a 12-person fintech or a sovereign agency, you get the same governance rail, the same audit trail, the same residency commitments, and the same trust posture.

Open the Trust Portal Talk to our security team Download the Trust Pack

If you’d rather we just answer your questionnaire, send it to security@prymeintelligence.com. Most come back inside 48 hours.

The questions our security team gets every week.

Do you train on our data?

No. Customer prompts, knowledge bases, retrievals, and outputs are never used to train base models, fine-tune models for other customers, or improve general platform behaviour. Training you initiate inside your own tenant stays inside your tenant.

Where does our data live?

In the region you select at workspace creation, and only that region. We do not move data across regions for capacity, latency, or operational convenience. Higher-classification workloads can run through sovereign deployment inside your own environment.

What’s the audit trail and how do we use it?

Every prompt, retrieval, tool call, model response, policy decision, and reviewer action is captured server-side, cryptographically chained, and exportable. You can replay historical interactions with the original context, model version, and policy state when audit or incident review requires it.

What certifications do you hold today?

SOC 2 Type II, ISO/IEC 27001, and ISO/IEC 27701 are positioned as live in the trust programme. The page also reflects aligned and in-progress work across GDPR, HIPAA readiness, PCI alignment, the EU AI Act, and NIST AI RMF mappings.

Can we bring our own keys?

Customer-managed keys are handled through the enterprise architecture review path, alongside dedicated-environment and sovereign deployment requirements.

What’s the incident notification window?

The operating-rule commitment on this page is notification within 24 hours of confirmed material incident, with follow-on incident reporting after containment and root-cause analysis.

How do reviewer gates actually work?

Reviewer gates insert a named human checkpoint into the rail before output is delivered. Reviewers see the context, retrieved sources, proposed output, and policy decisions, then approve, edit, or reject. That decision is captured in the audit trail.

Can we deploy in our own cloud or on-premise?

Yes. Sovereign deployment is the path for customer-controlled environments, including private cloud accounts and higher-assurance isolated environments.

What happens to our data if we leave?

The trust posture on this page includes exportability, configurable retention, and defined deletion workflows so customers can leave without data hostage problems.

How do we evaluate Pryme Intelligence inside our own infosec process?

Open the Trust Portal or send the questionnaire to security@prymeintelligence.com. The page is designed so the evidence pack, control mappings, and standard questionnaire responses are already prepared.