AI2COE Trust Center | Security, Governance & Enterprise Readiness

Enterprise trust posture

Proof controls buyers expect before they upload operational data.

Source purge Uploaded catalog files are deleted after report generation; only summary metrics and Open Findings remain.

No ERP write-back The diagnostic creates evidence for review. It never changes, deletes, merges, or overwrites ERP records.

Local currency Reports display money in the user's selected or country-derived currency, while USD remains the base audit calculation.

Audit trail Report ownership, access, quota, and feedback events are retained for governed review.

Session downloads Excel, Word, PDF, and CSV downloads are available only in the active generation session.

Open Findings Browser findings remain available without retaining the original source catalog rows.

Executive trust thesis

AI2COE is designed to produce evidence without creating operational risk.

Industrial AI adoption fails when a platform asks for trust before producing evidence. AI2COE reverses the order: upload a CSV, generate a controlled diagnostic, review confidence-tiered findings, and decide whether remediation is worth funding.

The portal deliberately avoids automatic ERP write-back. This matters. Catalog deduplication affects procurement, maintenance readiness, inventory valuation, and audit trails. The right product posture is diagnostic-first and review-controlled.

Market position: AI2COE is ready for controlled pilot and founder-led paid pilot use. For broad public enterprise deployment, the remaining work is production hardening, formal data-processing terms, monitoring, and compliance packaging.

Controls already implemented

Email verificationProtected workflows require verified identity

Admin change ledgerBefore/after records for admin edits

Report ownershipOpen Findings tied to authenticated users; downloads are session-scoped

Source purgeUploaded catalog files deleted after report generation

Security headersFrame, MIME, referrer, permission, and production HSTS controls

Diagnostic data lifecycle

Evidence without source-catalog retention.

1Upload CSV

2Analyze duplicate families

3Generate reports

4Purge source file

5Retain Open Findings and summary metrics

Control catalogue

What the CTO, CIO, CISO, CRO, and procurement team should see.

Identity & Access

Email verification gate, complete business profile, locked identity fields, current-password update checks, owner-only admin authorization, and session-based access control.

Report Governance

Report ownership records, expiring report links, persistent in-browser Open Findings, immediate-session artifact downloads, and generated-by attribution on report artifacts.

Diagnostic Safety

No ERP write-back. Confidence tiers separate obvious duplicates from review candidates. Industrial discriminator penalties reduce unsafe consolidation recommendations.

Admin Auditability

Admin dashboard views, exports, edit-page access, and updates are logged. User and lead edits write before/after JSON to the admin change ledger.

Browser Security

CSRF protection, HTTP-only sessions, SameSite cookies, X-Frame-Options, nosniff, referrer policy, and production-ready HSTS activation.

Data Handling

CSV diagnostic input is processed through isolated run folders and the uploaded source file is purged after report generation. Excel, Word, PDF, and CSV downloads are available only in the active generation session. AI2COE retains Open Findings, summary metrics, report ownership, quota usage, feedback, and audit metadata only.

Data Residency

AI2COE diagnostic processing is currently hosted in the United States (primary). European Union accounts requiring in-region data processing and a GDPR Article 28 DPA should contact support@ai2coe.com with 'DPA Request' in the subject. Gulf Cooperation Council (GCC) accounts may request a data-handling commitment specific to their jurisdiction. In-region EU and GCC hosting is on the enterprise roadmap. Custom data residency arrangements are available by agreement for enterprise pilot accounts.

Deployment readiness

Honest launch-readiness classification.

Launch stage	Status	Interpretation
Pilot / demo	Ready	Local and controlled founder-led pilots; authenticated uploads; report generation; admin audit layer.
Paid founder-led pilot	Ready with controls	Appropriate for selected customers after NDA, data-handling commitment, and manual onboarding.
Public self-serve launch	Near-ready	Needs production domain config, SMTP, OAuth credentials, HTTPS, backups, retention automation, and monitoring.
Large enterprise procurement	Near-ready	DPA template, Engagement SLA, Data Handling Commitment, Security Overview, SOC 2 self-attestation, and Procurement FAQ now published. Remaining: SOC 2 Type II audit, production cloud hardening, uptime monitoring.

Policy and document library

All compliance documents in one place.

Document	Purpose	Audience	Status
Data Handling Commitment	What happens to uploaded catalog CSV files — purge commitment	Legal, CISO, Procurement	Published
Data Processing Agreement (DPA)	GDPR Article 28 DPA template for countersignature	Legal, EU/UK/GCC accounts	Published
Engagement SLA	15-business-day delivery commitment and overrun remedy	Procurement, Finance	Published
Security Overview	Encryption, access controls, data residency, incident response	CISO, Security team	Published
SOC 2 Self-Attestation	CEO attestation of SOC 2 Trust Service Criteria controls	Enterprise procurement	Published
Architecture Overview	Data flow diagram, isolation boundaries, purge pathway	CTO, Security architect	Published
Procurement FAQ	W-9, insurance, payment terms, contract vehicle answers	Procurement, Sourcing	Published
Refund & Cancellation Policy	Milestone-based refund schedule and SLA overrun remedy	Finance, Procurement	Published
Getting Started Guide	CSV format specs, engagement process, report deliverables	IT, Operations lead	Published
Acceptable Use Policy	Permitted and prohibited uses of the portal	Legal, IT	Published
BC/DR Summary	Recovery objectives, backup strategy, incident communication	CISO, Enterprise procurement	Published
Release Notes	Product changelog and version history	Technical evaluators	Published
SOC 2 Type II Report	Independent auditor's examination of security controls	Enterprise procurement	Planned — 12-18 months

Enterprise FAQ

Questions a buyer, CIO, or CISO will ask first.

Does AI2COE write back to SAP, Maximo, Oracle, or any ERP?

No. PartsCleanse AI is diagnostic-first. It analyzes uploaded CSV exports and produces evidence for review. No automatic ERP record changes, deletions, merges, or write-back actions are performed.

How is report access controlled?

Reports are tied to the logged-in user who generated them. Report links expire by default, downloads require authentication, and owner-admin access is restricted to the founder account.

What protects account and profile integrity?

New accounts require profile completion, explicit consent, and email verification before protected workflows are available. Important identity fields are locked, while editable profile updates require authentication.

What can be audited?

Admin views, exports, report access, downloads, profile changes, and admin edits are written to audit logs. Admin edits also preserve before/after values in a separate change ledger.

Is this production SOC 2 certified today?

No. AI2COE is pilot-ready, not yet SOC 2 certified. The Trust Center separates controls already implemented from controls required before broad enterprise production hosting.