How we earn your trust
Pilon Qubit Ventures is operator-built and audit-trail-first. This page lists what we have, what is in progress, and what we do not yet have, so you can evaluate before you sign. Every claim below is anchored to either a control we operate or a regulation we align to. We do not claim certifications we have not earned.
Last reviewed: May 7, 2026
Status of every artifact a buyer asks for
If your procurement team needs an artifact that is not listed below, write to legal@pilonqubitventures.com and we will tell you whether it exists, when it will exist, or why it does not apply.
| Artifact | Status | Detail |
|---|---|---|
| SOC 2 Type II — infrastructure | Live | Our hosting, database, payments, voice, and email infrastructure all hold SOC 2 Type II attestations: Vercel (hosting and edge), Supabase (database), Stripe (payments), Google Cloud (Sofia voice), Twilio (telephony). Customer data flows through SOC 2 Type II-attested platforms. |
| SOC 2 Type II — PQV (own attestation) | In Progress | PQV's own SOC 2 readiness work is underway, mapping controls against the AICPA Trust Services Criteria (Security, Availability, Confidentiality). We do not yet claim a PQV-issued SOC 2 attestation; we will publish the report when issued. Target: Type I target Q4 2026, Type II target Q3 2027 |
| Data Processing Agreement (DPA) | On Request | Standard DPA available on request, with Standard Contractual Clauses for international transfers where applicable. We are working to publish a self-serve DPA PDF. |
| Master Services Agreement (MSA) | On Request | Standard MSA available on request. Custom redlines reviewed by Theta (our legal operator) within 5 business days. |
| Sub-processor list | Live | Published in full below. We notify customers of material additions via email at least 30 days before they take effect, where contract terms require notice. |
| Privacy Policy | Live | Published on our public site. Describes what we collect, why, and how to exercise rights under GDPR, CCPA/CPRA, and other applicable laws. Reference: pilonqubitventures.com/privacy |
| Terms of Service | Live | Published on our public site. Governs use of the marketing platform and any deliverables produced through it. Reference: pilonqubitventures.com/terms |
| Cookies Policy | Live | Published on our public site. Lists every cookie set on our marketing surfaces and the basis for each. Reference: pilonqubitventures.com/cookies |
| Breach notification SLA | Live | Customer notification within 72 hours of CONFIRMED unauthorized access to customer data. Confirmation occurs after our security investigation establishes that unauthorized access in fact took place; the 72-hour clock begins at confirmation, not at the moment of suspicion or alert. Reference: GDPR Art. 33 (where applicable) |
| Penetration test | Roadmap | External third-party penetration test scheduled alongside SOC 2 Type I engagement. Quarterly internal vulnerability scanning is in place today. Target: Initial test Q4 2026 |
| Vulnerability disclosure | Live | Reports to security@pilonqubitventures.com are triaged within 24 hours. We coordinate disclosure timelines with researchers in good faith. |
Every third-party service that may touch customer data
We use the smallest set of sub-processors we can. We name them all. Material additions are notified to customers under their DPA before taking effect.
Ollama Cloud (Ollama, Inc.)
United StatesLarge-language-model inference for every AI-powered skill. We use no other LLM provider for the public product.
Vendor compliance pageSupabase, Inc.
United StatesPrimary application database (lead-form submissions, account data, audit log) and authentication.
Vendor compliance pageStripe, Inc.
United StatesPayments and subscription billing. PQV does not see or store cardholder data; Stripe is PCI DSS Level 1.
Vendor compliance pageResend (Resend, Inc.)
United StatesTransactional email delivery (briefing confirmations, account notifications).
Vendor compliance pageTwilio Inc.
United StatesTelephony and programmable voice for the Sofia AI receptionist phone channel.
Vendor compliance pageGoogle Cloud (Google LLC) — Vertex AI
United StatesNative-audio speech model that powers the Sofia AI voice channel (web widget and phone).
Vendor compliance pageGoogle (Google LLC) — YouTube Data API v3
United StatesCompetitive-analysis skill (/skills/yt-competitive-analysis) — channel and video metadata only. No PII transmitted.
Vendor compliance pageHostinger International Ltd.
United States (datacenter region)Virtual private server hosting for marketing.pilonqubitventures.com and the Sofia AI services.
Vendor compliance pageVercel, Inc.
United StatesHosting and edge delivery for the public site at pilonqubitventures.com (separate surface from marketing.pilonqubitventures.com).
Vendor compliance pageIndustries we serve, and how we handle regulated requests
The public PQV product targets non-regulated industries by design. Regulated buyers are served only through custom enterprise engagements where the compliance addendum is built into the scope. Pricing is shared in your proposal, not on this page.
Default scope
Standard engagements serve these industries without additional compliance addendums:
- Veterinary practices, dental groups (non-PHI marketing only), boutique fitness chains, wellness studios.
- Restaurants, hospitality, home services (HVAC, plumbing, landscaping), retail.
- B2B SaaS startups, DTC e-commerce brands, course creators, podcasters, marketing agencies.
- Manufacturers, architecture and engineering firms, auto dealer groups, real estate brokerages.
Regulated industries — custom engagement only
For these sectors, the compliance addendum is built into the engagement scope:
- Healthcare (HIPAA-bound flows)
- Legal services
- Financial advisors and broker-dealers
- Tax preparation
Available only through a custom enterprise engagement. The engagement scope produces the compliance addendum required for that industry, for example a Business Associate Agreement for healthcare, an IRC §7216 consent flow for tax preparation, or a Model Rule 5.3 vendor-due-diligence package for legal services. Engagement scope and fees are agreed in your signed agreement before work begins. Contact legal@pilonqubitventures.com to scope.
Where to send security, legal, and privacy correspondence
Security
Vulnerability reports, incident inquiries, customer security questionnaires. Triage within 24 hours.
Legal
Contract review, MSA and DPA negotiation, BAA requests, IP and licensing. Initial response within 1 business day.
Privacy
Data-subject access, deletion, and correction requests under GDPR, CCPA/CPRA, and equivalent regimes. Acknowledged within 72 hours.
What we do not have yet
We list the gaps because hiding them creates audit risk and erodes trust. If any item below is a deal-breaker for your procurement team, tell us; we will give you an honest timeline rather than a marketing answer.
- A finalized SOC 2 Type II attestation. Readiness work is in progress; we will publish the report when issued.
- ISO 27001 certification. Not on the 12-month roadmap; we may add it after SOC 2 Type II based on customer demand.
- PCI DSS attestation. We use Stripe for card processing and do not store cardholder data on PQV systems, so we operate as a Stripe merchant rather than a PCI service provider.
- A self-serve sub-processor change-notification mailing list. Today, notice is delivered through your account contact under the terms of your DPA.
- An external third-party penetration test report. Scheduled alongside the SOC 2 engagement.
Need a custom DPA, BAA, or full compliance review?
Brief the team and Theta, our legal operator, will respond within 24 hours with the artifacts your procurement team needs, redlines, and an executed timeline.
This page is informational and does not, by itself, create a contract or grant a license. Specific obligations between you and Pilon Qubit Ventures are governed by your Master Services Agreement, Data Processing Agreement, Business Associate Agreement, and any order form executed by both parties. Where this page and an executed agreement disagree, the executed agreement controls. Contact us for executed copies.
Brief the team once. Ship every week.
Tell us the outcome you want to move: traffic, pipeline, brand, or all three. A named AI operator will own the ticket. I will review the first deliverable before it leaves my desk, and you will see it before the week is out.