Trust & Security
Accountability you can stand behind
BotPM is built for PMOs that need to show what happened, who approved it, and how data is isolated — not for opaque automation that bypasses your rules.
We are not third-party certified yet. SOC 2–style assurance and ISO 27001–oriented controls are on our roadmap, and we will share attestations when they are in place.
In the product today
Governance that ships in the UI
These are product behaviors your teams can rely on now — not future marketing promises.
Proposals & Approvals
High-impact or policy-gated actions surface as proposals, so the right people approve scope, schedule, budget, and stakeholder-sensitive changes before execution.
Audit & Transparency
Every recommendation, action, proposal, approval, and integration update leaves evidence behind. Nothing important runs silently.
Tenant Isolation
Workspace-scoped data, credentials, templates, and policies keep each organization isolated while supporting enterprise deployment patterns.
Clear Access & Billing
Plans, usage, trial state, and billing status are visible in the app, so admins know what is enabled and when action is needed.
SOC 2 (roadmap)ISO 27001–style (roadmap)Audit trail (in-product)Role-based gates
Operating principles
How we think about enterprise trust
Security and compliance are journeys. Here is how we align product behavior with what regulated PMOs expect.
Least privilege by design
Roles and gates in the product determine who can approve, execute, or view sensitive work — aligned to how your PMO already thinks about authority.
Traceability, not stealth
Proposals, approvals, and AI-assisted actions are designed to leave an inspectable trail so reviews and audits have something concrete to sample.
Tenant-scoped data paths
APIs and routes are built around organization boundaries so customer data stays partitioned in normal operation — a prerequisite for serious enterprise use.
Trust Center
Compliance roadmap
Where we are today, what we are working on, and the target windows for our next certifications.
In progress
SOC 2 Type I
Target window: H2 2026
Engaging an external auditor; control set scoped to security and availability.
In progress
SOC 2 Type II
Target window: H1 2027
Continuous-monitoring tooling and 6-month observation period after Type I.
Planned
ISO/IEC 27001
Target window: 2027
Information Security Management System aligned to ISO 27001:2022; statement of applicability in draft.
Live
GDPR / UK GDPR / CCPA program
Operating today
DPA, sub-processor list, DSAR workflow, EU SCCs, and UK IDTA in place.
Live
Vulnerability disclosure
Operating today
Public VDP and security.txt with safe-harbor language.
Request our security package under NDA
Get our current security questionnaire response, architecture summary, and any draft attestations. Available to prospects and customers under a mutual non-disclosure agreement.
Request security packageTrust resources
Documents & policies
Everything procurement, security, and privacy reviewers typically ask for.
Data Processing Addendum
GDPR / UK GDPR / CCPA-aligned DPA, with EU SCCs and UK IDTA.
Sub-processors
Public, dated, versioned list with subscription channel.
Status & SLA
Uptime target, scheduled maintenance, incident reference.
Vulnerability disclosure
Reporting channel, scope, and safe harbor.
AI Transparency
EU AI Act–oriented disclosures and human-oversight model.
Accessibility
WCAG 2.2 AA target, known limitations, accommodations contact.
See the workflows behind the claims
Walk through how autonomy modes and lifecycle rails fit together on the How it works page, or jump straight into pricing.