Trust Center ·

Verifiable, on the record.

Blankstate is the independent measurement layer for interactions. The same standard we ask of the systems we observe — deterministic, honest, accountable — applies to the way we run the company. This is the single place to read what we publish, see our certification status, and request the confidential corpus under NDA.

Read now

Public policies

Six documents, no NDA required.

Standards

Certifications

Active, in flight, on roadmap.

Under NDA

Confidential corpus

Twenty-three policies, available on request.

Contact

security@blankstate.ai

Due diligence and incident reports.
data residency
UK/LATAM/IN/NA
UK single primary region · on-premise on request
PII retention
none
beyond sign-in & user profile
AI in data path
self-hosted
no third-party API AI provider
identity
self-hosted
no external IdP in the data path

Posture

Status quo.

The Blankstate ecosystem is operated to a control baseline aligned with ISO/IEC 27001, SOC 2 Trust Services Criteria, and NIST CSF. Controls are continuously enforced in the platform itself and continuously evidenced through audit logs, telemetry, and periodic internal review. The platform persists no personal data beyond what is structurally necessary to operate it — sign-in identifiers and user-profile records for authenticated platform users. Interaction content is processed into deterministic, projected measurements ("energy"); the original content is not persisted, and the measurements themselves carry no PII. Cloud and on-premise deployments are both available under the same architectural commitments.

Self-hosted authentication, AES-256-GCM encryption of sensitive fields, instant cross-store token revocation, and a glass-box deterministic measurement model are operative today. Continuous internal vulnerability scanning runs against every build; a formal CREST-accredited external penetration test is scheduled for 2026. Blankstate's compliance portfolio is progressively expanded in line with the company roadmap.

Certifications & standards

Active, in flight, on roadmap.

  • Cyber Essentials

    Certified

    UK NCSC scheme — Cyber Essentials certification held; cyber insurance in force. Cyber Essentials Plus pathway scoped for the following cycle.

  • ISO/IEC 27001

    In process

    Information Security Management System. Scope, Statement of Applicability, Risk Management Framework, Gap Analysis, and Internal Audit Plan already maintained internally.

  • ISO/IEC 42001

    In process

    AI Management System. AIMS scope, AI System Inventory, AI Impact Assessment template, and Model Cards already maintained internally.

  • SOC 2 (Type II)

    In process

    Trust Services Criteria mapped against the current control set; engagement to follow ISO 27001 certification.

  • ISO/IEC 27701

    Deferred

    Privacy Information Management. Re-evaluated after ISO 27001 certification; the underlying privacy controls are operative today (see BKS-DPP-001).

  • NIST AI RMF

    Aligned

    Operating practice aligned to the NIST AI Risk Management Framework; see BKS-AI-001.

Public corpus

Read without contacting us.

Six policies are public by design. Each is named by its BKS-XXX-0XX reference so it can be cited directly in due-diligence questionnaires, contracts, and audit findings.

Confidential corpus

Available under NDA.

The following policies are released under NDA on request. They make up the remainder of the Blankstate InfoSec corpus and are the documents customers usually ask for in technical due diligence.

Request  ·  security@blankstate.ai

  • BKS-ISP-001 Information Security Policy Umbrella security baseline, ISO 27001 / SOC 2 / NIST CSF aligned.
  • BKS-RMF-001 Risk Management Framework Identify · classify · measure · treat · monitor · report.
  • BKS-BCP-001 Business Continuity Plan RTO/RPO commitments, supplier contingencies, test programme.
  • BKS-DRP-001 Disaster Recovery Plan Nine named recovery scenarios with statement-level procedures.
  • BKS-CMP-001 Crisis Management Plan SEV1 activation, decision authority matrix, post-crisis review.
  • BKS-BIA-EX-001 Business Impact Analysis (example) Methodology applied to the IBF measurement service.
  • BKS-TPR-001 Third-Party Risk Management Supplier categories, selection, onboarding, monitoring, exit.
  • BKS-ICP-001 Incident Communication Protocol Severity-driven SLAs, message templates, post-incident report.
  • BKS-AUP-001 Acceptable Use Policy Clear desk, BYOD, mobile, password, removable media, AI tools.
  • BKS-AC-001 Access Control Policy Identity model, joiner/mover/leaver, MFA, privileged access, quarterly reviews.
  • BKS-CRY-001 Cryptography Policy Approved algorithm classes; AES-256-GCM, memory-hard password hashing, TLS 1.2+; key management in a managed secrets store.
  • BKS-SDP-001 Secure Development Policy SSDLC, branch protection, code review, SAST/SCA, environment separation.
  • BKS-VM-001 Vulnerability & Patch Management Continuous scanning + annual CREST pen test (2026) + CVSS-tier SLAs.
  • BKS-CHG-001 Change Management Policy Four change classes, separation of duties, emergency-change path.
  • BKS-LM-001 Logging & Monitoring Policy Mandatory log content, managed cloud logging, no PII in logs, alerting.
  • BKS-AM-001 Asset Management Policy Asset register, ownership, classification, disposal.
  • BKS-ICH-001 Information Classification & Handling Public / Internal / Confidential / Restricted, with handling matrix.
  • BKS-HRS-001 People Security Policy Screening, onboarding, training, role change, offboarding.
  • BKS-ABC-001 Anti-Bribery & Anti-Corruption UK Bribery Act 2010 / FCPA; gifts and hospitality thresholds.
  • BKS-AF-001 Anti-Fraud Policy Prevention controls, segregation of duties, detection, reporting channels, investigation procedure.
  • BKS-ATA-001 Anti-Trust & Competition Policy UK Competition Act 1998, EU TFEU, US Sherman Act; prohibited conduct, training, reporting.
  • BKS-WHB-001 Speak-Up (Whistleblower) Policy Confidential / anonymous reporting; non-retaliation; PIDA-aligned.
  • BKS-RR-001 Records Retention Policy & Schedule 30 retention categories; defensible deletion; legal hold.
  • BKS-SAN-001 Sanctions & Trade Compliance Policy OFSI / OFAC / EU / UN screening; restricted jurisdictions; AML/CTF light.
  • BKS-ORG-001 Organisational Chart, Source Source notes for the governance org-chart PDF.

Contact

Bring your questionnaire.

We respond to security and due-diligence requests directly. For incident reports, vulnerability disclosure, and DPA negotiation, use the address below.

dpo@blankstate.ai

Data-subject requests, processor / controller questions — the DPO.

security@blankstate.ai

Due-diligence questionnaires, vulnerability disclosure, incident reports.

fair@blankstate.ai

Responsible-AI and AI-governance questions — see BKS-AI-001.

speakup@blankstate.ai

Confidential, accepts anonymous reports — see BKS-WHB-001.