Engineering document AI
built for IT security review

ISO/IEC 27001 certification audit is in execution with target attestation Q4 2026. SOC 2 Type II audit is in execution with target report H1 2027. Pathnovo's architecture is IEC 62443-aligned today and inherits Azure / AWS attestations (FedRAMP, IRAP, C5, ENS High, IL5, ISMAP, TX-RAMP) where applicable. Customers requiring formal attestation today can request the in-progress Statement of Applicability, controls evidence package, third-party penetration test summary, and SOC 2 readiness report under NDA. For procurement teams running IT security reviews, Pathnovo's documented controls package is sufficient evidence in most owner-operator and EPC vendor onboarding processes today.

Yes. BYOK is supported from Azure Key Vault, AWS KMS, HashiCorp Vault, and Google Cloud KMS. All customer engineering documents, extracted structured output, embeddings, and audit logs are encrypted with the customer-controlled key. Pathnovo's encryption-at-rest and encryption-in-transit architecture is designed so that key revocation immediately and irreversibly terminates Pathnovo's access to customer data: revoke the key, and the next request cycle returns access-denied. For sanctions-sensitive and classified workloads BYOK is the standard configuration. For mainstream cloud SaaS customers BYOK is opt-in and adds zero functional friction.

Configurable at deployment to: Azure UAE North (Aramco / ADNOC ecosystem), AWS Middle East (Bahrain), AWS Riyadh (KSA in-Kingdom), Azure India Central (Indian PSU + EPC compliance), Azure Singapore + AWS Singapore (SE Asia), AWS Frankfurt EU (GDPR scope), or Azure West Europe / Azure East US for global default. Data residency is region-locked at deployment, cannot be silently changed by Pathnovo, and is audited per region rotation. For customers requiring deeper guarantees, the Customer-Managed Cloud (BYOC) and Sovereign Region Deployment options pin data inside your own subscription within the chosen region.

Yes, for genuine air-gapped requirements. Pathnovo deploys inside the customer's Azure Stack Hub or AWS Outposts environment with no internet egress, no telemetry, and no auto-updates outside customer-controlled patch windows. This is appropriate for defense-adjacent oil and gas, sanctions-restricted operators (Iran / Iraq / Russia / Cuba scope), and classified facilities. For the other ~95% of EPC and owner-operator buyers, Sovereign Region Deployment with BYOK delivers equivalent practical security without the hardware appliance footprint. See /solutions/deployment-options for the full deployment posture comparison.

No, not without explicit separately-signed customer consent. Pathnovo's extraction models are trained on Pathnovo-licensed and Pathnovo-synthesised engineering training corpora. Customer documents, customer extraction outputs, and customer feedback are tenant-isolated and are not used to improve Pathnovo's general-purpose models. Customers who want to opt-in to model improvement (typically in exchange for accuracy benefits on their specific document corpus) sign a separate Model Improvement Addendum that defines scope, retention, anonymisation, and opt-out. Default behaviour is no training, no fine-tuning, no cross-tenant feature reuse.

Pathnovo runs a coordinated vulnerability disclosure programme. Reports go to security@pathnovo.com with PGP-signed encryption supported. Acknowledgement within 24 hours, triage within 72 hours, and remediation per severity SLA: critical CVE patched within 24 hours, high within 7 days, medium within 30 days. Independent third-party penetration testing is executed annually with summary report available to customers under NDA. Continuous vulnerability scanning is run across application stack, infrastructure as code, container images, and dependencies.

Customer data export is contractually supported in machine-readable formats: CFIHOS 2.0, ISO 15926 RDF, JSON-LD, structured CSV, and the original document files. Export is on-demand at any time during the contract and at end of contract. Post-termination deletion is contractually guaranteed within 30 days, with cryptographic erasure for BYOK tenants (immediate via key revocation). Pathnovo signs a contractually-binding deletion attestation at end of engagement, certified by Pathnovo's Chief Technology Officer. There is no vendor lock-in, no proprietary export format dependency, and no rebuild cost.

Yes. The sub-processor list is published, versioned, and notified to customers under DPA Article 28(2)(b). Default sub-processors are Microsoft Azure (compute, storage, key management), Amazon Web Services (compute, storage, key management for AWS-deployed customers), and HashiCorp (Vault for BYOK on customer request). Customers receive 30-day advance notice of any sub-processor change with a contractual veto right. The list is available on request and is included by default in DPAs signed under Pathnovo's standard procurement framework.

Yes. Pathnovo has run pre-engagement IT security reviews for Aramco-tier, ADNOC-tier, and Indian PSU-tier customer evaluations. The standard package includes: penetration test summary, threat model, data flow diagram, key management architecture, business continuity / disaster recovery plan, sub-processor list, incident response playbook, ISMS Statement of Applicability (in flight to ISO 27001), and SOC 2 readiness report (in flight to SOC 2 Type II). All deliverables are available under NDA on request and are pre-aligned to Saudi Aramco IT Security policy SAES-Z-001 series, ADNOC Group IT Security framework, and Indian PSU + DPDPA-aligned IT review patterns.

Levian-style hardware appliances deliver air-gap by default through physical hardware shipment + on-prem deployment + hardware capex + multi-year maintenance contracts. For genuinely classified workloads (~5% of EPC + owner-operator buyers) this is the right architecture. For the other 95%, Pathnovo's Sovereign Region Deployment + BYOK + Customer-Managed Cloud delivers equivalent practical security guarantees through cloud architecture rather than hardware shipment, at materially lower 3-year total cost of ownership (typically 40-60% less). For defense-adjacent or sanctions-restricted buyers requiring genuine air-gap, Pathnovo's Air-Gapped Customer-Managed deployment matches Levian's security envelope without the hardware footprint. See /compare/pathnovo-vs-levian for the head-to-head security and TCO comparison.