iTmethods
    Security & Trust

    Enterprise AI. Governed.

    iTmethods is the trust layer for enterprise AI. This page documents the security posture across the Fortress Family — Reign, Forge, and BioCompute — including certifications, security headers, encryption, tenant isolation, and our vulnerability disclosure policy.

    Vulnerability disclosure (RFC 9116)Request evidence pack

    Certifications & frameworks

    One architecture. Many regulators.

    Forge maintains SOC 2 Type II audit posture continuously. Reign produces regulator-grade evidence mapped to global frameworks. BioCompute extends the same evidence model into FDA, EMA, and HIPAA scope.

    SOC 2 Type IIForge

    Certified

    Audit posture maintained continuously since 2018.

    ISO 27001AWS Practice

    Audit posture

    Aligned to the AWS Advanced Tier Services Partner audit posture.

    HIPAABioCompute · Reign

    Evidence-ready

    BioCompute deployments and Reign Evidence Engine produce HIPAA-aligned artifacts.

    FedRAMPReign

    Evidence-ready

    Reign produces evidence aligned to FedRAMP Moderate/High control families.

    EU AI ActReign

    Evidence-ready

    Reign Regulator Packs map to AI Act Article 9, 10, 12, 14, 15 obligations.

    DORAReign · Forge

    Evidence-ready

    Third-party ICT risk evidence and incident reporting mapped to DORA articles.

    FINOS AIGF v2.0Reign

    Evidence-ready

    Reign maps to all 25 AIGF risk categories including the six agentic AI risks.

    21 CFR Part 11BioCompute

    Evidence-ready

    GxP validation and electronic records aligned to FDA 21 CFR Part 11.

    Data practices

    Encryption. Isolation. Evidence.

    The architectural choices regulated enterprises actually need a vendor to be specific about.

    Encryption in transit

    TLS 1.3 with HSTS preload across itmethods.com and all subdomains. No mixed content. Certificate transparency monitored.

    Encryption at rest

    AES-256 across managed infrastructure. Customer-managed keys (BYOK) supported in Forge and BioCompute single-tenant deployments.

    Tenant isolation

    Reign and BioCompute deploy single-tenant by default. Forge supports both managed multi-tenant and dedicated single-tenant operating models.

    Evidence by design

    Reign's Evidence Engine produces tamper-resistant, identity-attributed audit artifacts continuously — not as an end-of-quarter compliance ritual.

    Security headers

    What we send on every response.

    Defense in depth on the marketing surface — verifiable from any browser dev-tools network tab.

    Strict-Transport-Security
    max-age=63072000; includeSubDomains; preload

    HSTS preload — 2-year max-age, all subdomains, browser-baked

    X-Frame-Options
    DENY

    Clickjacking protection — itmethods.com cannot be framed

    X-Content-Type-Options
    nosniff

    MIME-sniffing disabled

    Referrer-Policy
    strict-origin-when-cross-origin

    Referer leak prevention

    Permissions-Policy
    camera=(), microphone=(), geolocation=()

    All sensitive APIs disabled by default

    Content-Security-Policy
    Report-Only (telemetry mode)

    Active on every response — enforced mode rolling out per Cycle 3.2

    Static assets (/_next/static/*) and the dynamic OG image endpoint (/api/og) carry additional cache-control headers tuned for CDN edge serving.

    Reporting & contact

    Three ways to reach us.

    Researchers, customers, and audit committees each have a direct path.

    Vulnerability disclosure

    RFC 9116 security.txt at /.well-known/security.txt. Email security@itmethods.com. We acknowledge within 2 business days, triage within 5, and communicate a resolution timeline within 10.

    Read security.txt

    Compliance & audit evidence

    Customers under contract can request SOC 2, ISO 27001, HIPAA, and DORA evidence through their account team or by emailing trust@itmethods.com.

    Request evidence

    Audit-committee briefing

    Board and audit-committee briefings on the Reign evidence architecture, EU AI Act readiness, and DORA third-party AI risk are available on request.

    Brief our committee

    Direct contact

    Safe-harbor language and response targets are documented in security.txt.

    Architecture references

    Read the long-form.

    AI Governance

    114 Days — The EU AI Act Enforcement Clock

    Read the article

    Architecture

    The AI Governance Stack Was Built for the Wrong Problem

    Read the article

    Latest

    96 Days, Maybe 600 — the infrastructure answer is the same

    Read the article

    Where we operate

    iTmethods Inc. is headquartered in Toronto, Canada. We operate in Austin, TX (US Sales & Customer Success) and have engineering, support, and compliance resources in Dublin (Ireland), Bangalore (India), and Eastern Europe. Customer workloads run in regions selected for jurisdiction and data-residency requirements — AWS regions for Forge and Reign, FedRAMP-aligned regions where required, and on-prem or sovereign cloud for BioCompute and Reign single-tenant deployments.

    Read the company overview at itmethods.com/about.