Security

Certifications and Assessments

Paveer holds SOC 2 Type II certification and operates an internal security program that includes continuous in-house security testing. We also engage in annual penetration tests. To request copies of assessment reports, contact security@paveer.com

Paveer maintains a compliance posture to support regulated customers. Our practices include secure code review, device management and EDR, zero-trust access for sensitive systems, OWASP ASVS-aligned development practices, disaster recovery training, and both tabletop and functional vulnerability testing.

• Secure code review and change control with required reviewers
• Company MDM with posture management and EDR on employee devices
• Zero-trust access for remote resources
• OWASP ASVS-aligned development and tooling (e.g., GitHub/GitLab, WAF)
• Disaster recovery and incident response training and exercises
• Continuous in-house security testing plus annual independent penetration testing

Deployment Options

Paveer is delivered exclusively as a web application accessible via modern web browsers or our hosted web app. We do not provide native desktop support. A clients engagement can be offered as demos, proofs-of-concept (POC), and tailored Enterprise solutions.

Hosted demos & POCs

For demos and POCs we provide hosted web access so customers can evaluate features without installing software. These evaluation environments are scoped and time-limited.

Enterprise solutions

Enterprise engagements are delivered via our hosted web app with configurable options to meet security, compliance, and operational requirements (e.g., data handling, SSO, audit logging, and connector-based ingestion). Specific deployment and data residency requirements are handled contractually during onboarding.

SSO via SAML (Microsoft Entra, Okta, Google Workspace, etc.) is supported for Enterprise customers.

Data Flows

Most details below apply to Cloud and Hybrid deployments.

Kinds of requests

• Upload or download: requests are processed logged in or out the service
• Instructive Experience: requests on explicit user documents for report generation.
• Agentic Experience: multiple requests per agent step for Chronos (reasoning steps, tool calls).
• Real-time / Ahead-of-time Personalization: background and embedding requests to build context for specific clients.

Clients send context based data (snippets, large-snippets, documents, unit management). Data is routed to Paveer's infrastructure which may perform inference or route to approved inference providers. Results return to the client and usage analytics (no video data) are logged. All in-transit data is encrypted.

Agentic Experience

Chronos is a collaborative agent that performs multi-step reasoning and tool actions with a human in the loop. Tool calls (grep, ls, edit file, add file, web search) are visible to the user; human approval is required for side-effecting actions. Edits require explicit acceptance before committing.

Contractors and Subcontractors

Depending on plan and deployment, Paveer may use a range of subcontractors. (Third-party list intentionally left partially open; at this moment we are using Vercel and Azure.)

Attribution and Compliance

You own generated outputs to the extent permitted by law. Paveer sanitizes public training data where practicable and applies attribution filtering to minimize risk from non-permissive licenses. Enterprise Hybrid and Self-hosted deployments can enable on-prem attribution and audit logs stored in the customer's tenant.

Client Security

Paveer ingest's video footage from third‑party storage providers or via secure manual upload. We can integrate with your company's existing infrastructure. Including current or future cloud providers, we adapt to your operational and compliance workflows. Deployment options include cloud, hybrid, and self‑hosted connectors so data flows and processing meet your requirements.

Customers acknowledge that data generated by Paveer services is protected by Paveer's security controls as described in our policies and agreements. We work with customers to document responsibilities, align on retention and access controls, and implement contractual and technical safeguards where required.

Paveer assists customers in meeting their security standards by providing guidance on hardening, SSO and access configuration, logging and audit options, and incident response coordination. For integration help or to discuss custom security requirements, contact security@paveer.com.

Data Retrieval

Paveer can automate retrieval of your video data using multiple options tailored to client needs. We retrieve and process content to produce structured reports that support your company’s workflows and analytics. Retrieval methods include secure local upload, encrypted remote transfer, and connector-based ingestion; processing and retention are configurable per deployment and contractual agreement.

To discuss retrieval options or to configure a data retrieval pipeline for your organization, contact your account representative or security@paveer.com.

Zero Data Retention

By default, Paveer uses video data provided by customers to train and improve our models as part of ongoing product development. This use is disclosed and agreed during onboarding for customers that opt into training. For customers with heightened security or compliance needs, Paveer offers an option to prevent their company's security-sensitive video data from being used for model training. If you require this exclusion, please contact your account representative or our security team at security@paveer.com to arrange contractual and technical controls (including zero‑data‑retention settings and deployment options) appropriate to your requirements.

Account Deletion

You can delete your account at any time from your profile.

Vulnerability Disclosures

If you believe you have found a vulnerability in Paveer, please email us at security@paveer.com. We commit to acknowledging legitimate vulnerability reports within 5 business days and addressing them as soon as practicable. Critical incidents will be communicated via email to affected users.