Security & Trust
Levitate is built on a foundation of rigorous security controls, responsible data governance, and transparent AI practices — so your business can act with confidence.
SOC 2 aligned — formal certification in progress | Cyber Essentials certified (2025–2026)
Our commitment
Security is not a feature — it is the foundation
Levitate operates inside some of the most consequential decisions a business makes — across execution workflows, operational data, and strategic planning. That responsibility requires a security posture that is deliberate, documented, and continuously tested. We do not treat security as a compliance checkbox. It is embedded into every layer of how Levitate is built, deployed, and maintained.
🔒
Data protection
Your data is encrypted in transit and at rest. Levitate does not use customer data to train AI models and does not share data between organisations.
🛡️
Access control
Role-based access, multi-factor authentication, and least-privilege principles govern who can see and act on what — inside the platform and within Van de Satpura.
⚙️
Governance by design
Every AI-driven action in Levitate is auditable. Businesses retain full visibility and control over what the system executes, and why.
Security controls
What we have in place
The controls below reflect the current security posture of the Levitate and Van de Satpura as an organisation. They are aligned to the SOC 2 Trust Services Criteria, with formal Type I certification in progress.
Reading this page: Controls marked with a green indicator are active and in place today. This page is reviewed quarterly and updated to reflect our current security posture.
Data security
✓
Encryption in transit
All data transmitted between clients and Levitate is encrypted using TLS 1.2 or higher.
✓
Encryption at rest
Data stored within the Levitate is encrypted at rest using AES-256.
✓
Data isolation by organisation
Each customer's data is logically isolated. No data is shared between organisations, and customer data is never used for AI model training.
✓
Data retention and deletion
Customers can request deletion of their data at any time. Retention schedules are defined in the data processing agreement.
–
Customer-managed encryption keys (CMEK)
Capability for customers to manage their own encryption keys — available for enterprise deployments on request.
Access & identity
✓
Role-based access control (RBAC)
Platform access is governed by defined roles. Users can only access the data and functions appropriate to their role.
✓
Multi-factor authentication (MFA)
MFA is required for all Van de Satpura staff accessing internal systems.
✓
Least-privilege access policy
Internal access to customer environments and production systems is restricted to only those with a documented business need, reviewed regularly.
✓
Access logging and audit trail
All platform access and AI-driven actions are logged with timestamps, user identity, and action detail. Audit logs are available to customers on request.
–
Single sign-on (SSO) integration
SAML 2.0 / OIDC-based SSO integration with enterprise identity providers such as Microsoft Entra, Okta, and Google Workspace.
Infrastructure & operations
✓
Cloud infrastructure on certified providers
Levitate infrastructure is hosted on cloud providers that hold ISO 27001, SOC 2, and PCI DSS certifications, inheriting infrastructure-level controls.
✓
Vulnerability and patch management
Dependencies and infrastructure components are monitored for known vulnerabilities. Critical patches are applied within defined SLA windows.
✓
Incident response procedure
A documented incident response process is in place covering detection, containment, notification, and post-incident review. Customers are notified of material security events within 72 hours.
✓
Cyber Essentials certification (previously held)
Van de Satpura held Cyber Essentials certification in 2025–2026, validating controls across firewalls, secure configuration, user access control, malware protection, and patch management. Renewal is on the current roadmap. Organisations requiring active certification may request our self-assessment questionnaire responses directly.
–
Third-party penetration testing
Annual penetration test conducted by an independent third-party security firm. Report available to enterprise customers under NDA.
–
Disaster recovery and business continuity
Documented DR plan with defined RPO and RTO targets. Regular failover tests confirm recovery capability.
AI governance
✓
Explainability and action audit trail
Every action Levitate takes or recommends is logged with a traceable rationale. Business users can review and query any AI-driven decision.
✓
Human-in-the-loop controls
Configurable approval gates allow businesses to require human sign-off before Levitate executes defined categories of action. Delegation levels are set by the customer.
✓
No cross-organisation model training
Levitate does not use any customer data, including interaction logs, decisions, or outcomes, to train or fine-tune AI models for any other organisation.
✓
Ethical AI policy
Van de Satpura publishes its principles for responsible AI deployment. Levitate is designed to align with the EU AI Act's requirements for transparency, accountability, and human oversight.
–
Formal AI risk classification
EU AI Act risk tier documentation for each Levitate solution, reviewed by legal counsel and published to customers on request.
Privacy & compliance
✓
GDPR alignment
Levitate's data handling practices are designed to meet GDPR requirements. Data processing agreements (DPAs) are available for all customers in the EEA and UK.
✓
Sub-processor transparency
Van de Satpura maintains and publishes a list of sub-processors used in the delivery of the Levitate. Customers are notified of material changes.
✓
Privacy-by-design development practice
Data minimisation, purpose limitation, and privacy impact assessments are built into the Levitate development process from requirements through to deployment.
–
SOC 2 Type I report
Independent auditor's attestation of security control design, aligned to the AICPA Trust Services Criteria. Certification in progress, target completion available on request.
–
ISO 27001 certification
Formal information security management system (ISMS) certification. On roadmap following SOC 2 Type I completion.
Organisational security
✓
Security awareness training
All Van de Satpura employees and contractors complete security awareness training at onboarding and annually, covering phishing, data handling, and incident reporting.
✓
Background checks for staff with data access
All Van de Satpura personnel with access to customer-facing systems undergo background screening before access is granted.
✓
Information security policy
A documented information security policy, reviewed annually, governs the classification, handling, and protection of data across all Van de Satpura systems.
–
Vendor security assessment programme
Formal security assessment of all third-party vendors with access to Van de Satpura systems, reviewed annually.
Certification roadmap
Our path to formal certification
We have designed Levitate's controls to meet the AICPA SOC 2 Trust Services Criteria from the outset, not as a retrofit. The timeline below reflects our current progress toward formal attestation.
Completed
SOC 2 control alignment
Core security controls designed and implemented in alignment with the SOC 2 Trust Services Criteria covering Security, Availability, Confidentiality, and Privacy.
In progress
Cyber Essentials
UK government-backed certification validating the five core technical controls: boundary firewalls, secure configuration, access control, malware protection, and patch management. Held for the 2025–2026 certification period. Renewal planned; prospective customers requiring current certification should contact us to discuss timelines.
Completed
Internal security policy documentation
Information security policy, incident response procedure, access control policy, and data retention schedule documented and reviewed by leadership.
In progress
SOC 2 Type I audit
Engagement with an independent auditor to attest to the design of security controls at a point in time. Enterprise customers in our pipeline may request the draft readiness report.
Planned
SOC 2 Type II audit
Following Type I, a 6–12 month observation period will confirm that controls operate effectively over time. Type II report will be available to customers under NDA.
Roadmap
ISO 27001 certification
Formal ISMS certification as Levitate scales. Target following SOC 2 Type II completion.
Responsible AI
How Levitate handles AI governance
Levitate is an AI Actuation Management System, meaning it does not just advise, it acts. That level of agency demands a higher standard of governance. These are the principles that govern every AI-driven action the platform takes.
01
You remain in control
Every action Levitate takes operates within boundaries you define. Delegation levels, approval gates, and action scopes are set by your organisation, not by us.
02
Every action is explainable
Levitate maintains a full audit trail of what it did, when, based on what data, and under whose authority. No action is a black box.
03
Your data stays yours
We do not use your business data, decisions, outcomes, or interactions, to improve Levitate for other organisations. Data processing is strictly purposeful.
04
Designed for the EU AI Act
Levitate's governance framework has been developed with the EU AI Act's requirements in mind, including transparency, human oversight, and risk documentation.
Declaration
Our commitment
This Security and Trust statement reflects the current security posture of the Levitate and Van de Satpura as an organisation. The controls described above are in place and operational as of the date of publication. Controls marked as in progress or planned reflect our active roadmap and will be updated as milestones are reached.
Van de Satpura held Cyber Essentials certification in the 2025–2026 period. Renewal is planned and prospective customers with active certification requirements are encouraged to contact us directly to discuss.
Van de Satpura is committed to maintaining and improving the security of the Levitate continuously. We welcome questions from prospective and current customers on any aspect of our security posture. Enterprise customers and partners in our evaluation process may request a security briefing directly with our leadership team.
For security disclosures, questions, or to request a Data Processing Agreement, contact: security@vandesatpura.com
A. Pasra
Founder, Van de Satpura
Published: June 2026 | Next review: September 2026