How Vaival runs AI-assisted work against your data, your workflows, and your operating cadence. What we have built today, what we have committed to building, and what we will tell you about both before the first contract.
Three independent standards running as one integrated management system. Certifications are the floor; the day-to-day discipline is the AI Go-Live Gate below.
Vaival Technologies was certified to ISO/IEC 42001:2023 on 23 February 2026, less than fifteen months after the standard was published in December 2023. Vaival is among the earliest companies globally to formalize an AI Management System under ISO/IEC 42001. Certificate 2026-00622-PK-42K, issued by MQA Certification UK Ltd. Active to 22 February 2027. Verify on MQA directory →
Certificate PK240016, issued by RICI US LLC (IAS Accredited MSCB-104). Active to 15 Aug 2026. Surveillance cycle live. Information Security Management System governs confidentiality, integrity, and availability of client data. Verify on IAF CertSearch →
Certificate PK240062, issued by RICI US LLC (IAS Accredited MSCB-104). Active to 24 Nov 2026. Documented process discipline across delivery, reviewed annually under surveillance audit. Verify on IAF CertSearch →
Public market evidence placed BCG among the first 100 globally certified organizations as of January 2026, indicating that global adoption was still in early stages when Vaival completed certification.
Not a policy document. A working control. Every AI-assisted task in every engagement clears these nine before it ships. Tasks that cannot clear them are deferred or descoped per the engagement letter, not shipped anyway.
Named human on your side with decision authority over the workflow.
Documented edges of the workflow the AI-assisted task sits inside.
Pre-AI measurement of the workflow so the change can be evaluated.
Authoritative system for the data the model uses. No ambiguity.
Who approves outputs, when, and against what threshold.
What happens when the model is wrong or uncertain. Documented escalation.
Sampling rate, review cadence, and acceptance criteria for AI-assisted output.
Weekly or biweekly review where AI-assisted work is inspected against baseline.
The number the AI-assisted task is supposed to move. Tied to the baseline.
Every engagement names a Vaival workflow owner and a client-side workflow owner in the engagement letter, not assigned after kickoff. Weekly operating reviews are calendared from week one. If the named Vaival owner leaves Vaival's employment, the client is notified within five business days and retains right of refusal on the successor.
No model is deployed against your data without an approval rule and a named human owner on your side. Contractual term, not posture. Model changes require re-approval. Access logs retained for the engagement plus twelve months. You retain the right to revoke any model from your data at any operating review.
All AI model providers used by Vaival operate under enterprise-tier agreements with training-on-customer-data, model fine-tuning on customer inputs, and product improvement on customer outputs all explicitly disabled. This applies to every model provider in our sub-processor list. Sub-processor changes require 30 days' notice.
By written notice to the named Vaival owner. The engagement continues; the workflow runs human-only until you and the named owner agree on a replacement approach.
Email or contract-channel notice to the named Vaival workflow owner triggers the revocation clock.
Model access disabled. Processed-data artifacts (embeddings, fine-tuned weights, cached outputs) deleted. Model provider sub-processor notified.
Confirmation in writing to the client-side owner. Engagement continues human-only until replacement approach is agreed.
Material security incidents affecting client data are notified within these windows. The named Vaival workflow owner contacts the client-side owner with status and next steps. The detailed 4-step response process is published with the Incident Response SOP, due Launch + 10 business days.
Material security incidents affecting client data are notified to the client-side workflow owner within 72 hours of confirmation. Notification includes nature of incident, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed. Aligned to GDPR Article 33 timing framework.
Suspected incidents under investigation are notified within 5 business days of the suspicion threshold being met. Notification names the suspected scope, the open questions, and the next operating review where status will be confirmed.
42001, 27001, 9001 all current and verifiable. Named accountability in every engagement letter. Weekly operating reviews from week one. Audit logs retained engagement + twelve months. Revocation rights at every operating review.
Current binding: Chubb (ACE American). Technology E&O $1M per claim, Cyber/Privacy/Network Security $1M per claim, $1M shared aggregate. Upgrade in flight: $2M Tech E&O / $2M Cyber / $1M CGL; page updates when the new COI is bound. Sub-processors: List disclosed at scope confirmation with right of refusal; material additions notified 30 days in advance. Breach notification: 72 hours from confirmed event; 5 business days for suspected events under investigation.
Vaival does not hold SOC 2 Type II or HITRUST today. Not on the current roadmap. For procurement workflows that require either, the compensating controls are: ISO/IEC 27001:2022 certification, ISO/IEC 42001:2023 AI management system, and the engagement-letter commitments named above. If SOC 2 Type II is a hard requirement, we will tell you on the first call and recommend the Audit (low-data-access) as the first step, not a continuous-data engagement.
Vaival operates as data processor on workflow data your team retains; you are the data controller. Where your team has a DPA template, Vaival will execute it with mutually agreed amendments for AI sub-processor disclosure. Where you do not, Vaival's template is the IAPP Standard DPA with SCCs Module 2 where cross-border transfer applies.
Sub-processors operate in defined categories: AI model providers (enterprise-tier with training-on-customer-data disabled), cloud working storage, workspace and video, CRM and intake, scheduling, identity and access. Named sub-processor list maintained as part of the engagement and disclosed at scope confirmation. Material additions notified 30 days in advance with right of refusal.
Vaival LLC (Delaware) for US engagements. Vaival FZ-LLC (UAE free-zone) for MENA engagements. Vaival Technologies (Private) Limited (Pakistan) for delivery staffing. Engagement letter names the contracting entity and governing law. Inter-entity data transfers under intra-group agreement or SCCs Module 2.
Operating regimes: GDPR (EU/EEA), CCPA and state privacy law (US), HIPAA-adjacent for US healthcare engagements (BAA on request), PDPL (Saudi Arabia), PDPL (UAE Federal Decree-Law 45/2021), EU AI Act Article 26 supported via ISO/IEC 42001. Detailed mapping: Counsel-signed jurisdictional mapping with specific operational role per regime available on request once external legal counsel sign-off is complete.
Each refusal is reflected in the engagement letter. Published here so the posture is visible before contract.
Vaival does not bundle third-party software resale into Audit, Sprint, Program, or Pod fees. Tooling decisions stay yours. We integrate with the systems you already run; we do not become a reseller channel. If a tool is required to deliver an outcome, you procure it directly under your terms.
A Managed Pod runs workflows inside your operation. Pod operators do not hold signature authority, do not bind you to vendors, do not represent your company externally, and do not act as employees of record. Approvals, commitments, and external communications stay with named owners on your side.
Every AI-assisted workflow inside a Pod ships with the nine-element AI Go-Live Gate (Trust section above). No model output reaches a customer, vendor, or downstream system without a named human owner, an approval rule, and a logged review cadence. We will not waive the Gate to hit a deadline.
Pod engagements review at quarter and renew on terms that reflect what the workflow has become, not what it was twelve months ago. If a workflow has materially changed, scope, fee, and SLA are re-papered before renewal. Silent annual auto-renewal on stale terms is not how we operate.
If the trust page reads like the operating posture you want, the next step is a conversation. We start with a governance review of one workflow, then decide together whether a Diagnose engagement makes sense.