Security, Privacy & Compliance at Kriv AI
Designed for regulated, PHI- and PII-sensitive environments.
We work with organizations who handle some of the most sensitive information in the world. Our approach to AI, automation, and data is anchored in security-by-design, privacy awareness, and practical governance—so your teams can innovate without losing control.
This page describes our general approach and is not legal advice. Your internal policies, contracts, and regulatory obligations remain the final authority.
Who This Page Is For & What It Covers
Who This Is For
- •Technology leaders (CTO, VP Engineering)
- •Data leaders (CDO, Head of Data/Analytics)
- •Compliance, risk, privacy, and legal teams
- •Procurement and vendor review stakeholders
What It Covers
- •Our security & privacy principles
- •How we think about PHI/PII and sensitive data
- •How we approach architectures in regulated environments
- •How we see shared responsibilities between Kriv AI and clients
Details of specific implementations vary per engagement and are documented in project scopes and contracts.
Our Core Security & Privacy Principles
These principles guide every engagement and architecture decision we make.
Regulated-First Mindset
We assume that your data and workflows are regulated, sensitive, or business-critical by default—and we design accordingly.
Minimum Necessary Access
We seek to minimize the data, permissions, and scope required for a use case, especially when PHI/PII or confidential information is involved.
Transparency Over Black Boxes
We prefer architectures and patterns that can be explained—to your technical teams, leadership, and auditors.
Shared Responsibility
Security and compliance are shared between Kriv AI, your infrastructure, and the platforms we help you integrate. We aim to clarify who is responsible for what.
We would rather say "no" to a risky design than push forward with something we aren't comfortable defending.
Data, PHI/PII & Sensitive Information
Many of our clients work with Protected Health Information (PHI), Personally Identifiable Information (PII), and other sensitive datasets. Our work is shaped around keeping that data controlled, minimized, and appropriately handled.
Data Residency & Control
Where possible, we prefer patterns where sensitive data stays within your controlled environment and infrastructure, aligned with your internal policies.
PHI/PII Minimization
We encourage designs that limit what sensitive data is sent to external services, use de-identification or pseudonymization where appropriate, and avoid storing more than is needed for the use case.
Access Scoping
We design workflows and integrations with scoped access—so a system can only see what it genuinely needs.
Documentation & Data Flows
We strive to document data flows at a high level: which systems are involved, what kinds of data move where, and why.
Architectures & Third-Party Tools
How we think about cloud platforms, automations, and LLM providers at a high level.
Cloud & Data Platforms
We typically work within your chosen platforms such as:
- •Microsoft Azure and Microsoft 365
- •Databricks or Snowflake (if applicable)
- •Existing data warehouses, lakes, and BI tools
We aim to align with your existing security controls, identity providers, and network boundaries.
Automation & AI Tools
We may help you integrate or orchestrate tools like:
- •Power Automate
- •Zapier (we are a Zapier Silver Solution Partner)
- •n8n
- •LLM and embedding providers (e.g., Azure OpenAI, other enterprise-grade providers)
Our focus is on scoped tokens and keys, minimizing data sent to external APIs, and clear logs where feasible.
Exact tools and configurations are always reviewed with your technical and security teams during each engagement.
Identity, Access & Environment
We aim to work inside your identity and access standards wherever possible, rather than inventing parallel permission systems.
Customer Identity Systems First
We prefer to leverage your existing identity providers and access controls (e.g., SSO, RBAC) for systems we help design.
Scoped Access for Kriv AI
When we require access to systems or environments, we aim for least privilege, time-bound or project-bound access, and clear ownership of credentials and accounts.
Environment Separation
We encourage clear separation of development, testing, and production environments for AI and automation workloads.
The exact setup will depend on your existing architecture and policies.
Logging, Monitoring & Incidents
Practical approaches to observability and incident handling.
Encouraging Meaningful Logging
We support patterns where key actions, decisions, and workflow events can be logged in systems your teams control.
Observability for AI & Automations
Where feasible, we recommend observability patterns that help your teams monitor performance and usage, detect unexpected behaviors, and review outputs where appropriate.
Incident Response is a Shared Responsibility
We expect that incident detection, response, and reporting will follow your organization's policies. We can assist by helping you understand where AI/automation is present and providing context on system behavior and design.
Nothing on this page supersedes your formal incident response and security policies.
Compliance & Governance Alignment
We are not a certification body or law firm, and we do not claim regulatory certifications on your behalf. Instead, we design with widely recognized frameworks and obligations in mind and work closely with your teams.
Healthcare & PHI Contexts
In healthcare and related environments, we aim to support your efforts to meet obligations under frameworks such as HIPAA and related regulations, as interpreted by your legal and compliance teams.
Data Protection & Privacy
We design with privacy-by-default thinking and expect that formal interpretations of laws (e.g., GDPR, regional privacy laws) come from your organization's legal counsel.
AI Governance Frameworks
Our AI Readiness & Governance work is informed by emerging governance frameworks (such as NIST AI Risk Management concepts) and customized to your context.
Shared Responsibility: You, Kriv AI, and Your Platforms
We believe in being explicit about who owns what. Security, privacy, and compliance for AI systems typically involve three layers: your organization, Kriv AI's work, and the platforms and tools we help you use.
Your Organization Typically Owns
- •Internal policies and standards
- •Identity and access management
- •Infrastructure configuration and network security
- •Final decisions on acceptable risk and deployment
Kriv AI Typically Owns
- •Design and implementation of AI workflows and automations we build
- •Recommendations on patterns, guardrails, and governance approaches
- •Documentation of our designs and assumptions
Platform / Vendor Responsibilities
- •Security of cloud and SaaS platforms according to their own commitments
- •Underlying infrastructure of managed services (e.g., Azure, Databricks, etc.)
- •Contractual and compliance assurances you have with those vendors
Exact responsibilities are finalized in contracts and statements of work for each engagement.
Security, Privacy & Compliance FAQs
Common questions from security, compliance, and risk stakeholders.
Want AI That Your Security & Compliance Teams Can Stand Behind?
If you're exploring AI or agentic automation in a regulated environment, we'd be happy to walk through practical options with your technical, data, and compliance stakeholders together.