Trust & Compliance

How BTA secures customer engagements.

Last updated · May 7, 2026

BTA delivers regulated-industry engagements across financial services, healthcare, defense, energy, and manufacturing. The trust posture below is the foundation we bring to every engagement and is referenced in our Phase 1 Third-Party Risk Review package.

Information security program

  • SOC 2 Type I report available; Type II audit underway with bridge letter on request.
  • Information security program aligned to NIST CSF 2.0.
  • Annual independent vulnerability assessments and penetration tests.
  • Documented incident response and breach-notification runbook.

AI governance

  • NIST AI Risk Management Framework alignment for engagements involving AI.
  • ISO/IEC 42001 alignment where applicable.
  • EU AI Act risk-tier classification when in scope.
  • Model cards, data cards, and a signed agent-authority matrix per engagement.

Compliance frameworks we support

BTA designs and operates engagements that map to: HIPAA, HITRUST, CMMC 2.0 Level 2, PCI DSS v4.0, SOC 2 Trust Services Criteria, GDPR, NERC CIP, TSA Pipeline Security Directives, NAIC Insurance Data Security Model Law (and state implementations such as NY DFS 23 NYCRR 500), ISA/IEC 62443, ISO 27001, and FedRAMP.

Insurance and accountability

  • Cyber insurance coverage maintained; certificate of insurance available on request.
  • Errors & omissions and general liability coverage maintained.
  • Customer-facing data-handling attestation included with each engagement scope.

Software supply chain

  • Software Bill of Materials (SBOM) provided for software shipped as part of an engagement, including the Phase 2 lab stack used for AI engagements.
  • Dependency review and provenance verification on every release.

Engagement-level controls

  • Named BTA security and privacy contacts for every active engagement.
  • Customer-side incident-response contact tree signed at kickoff.
  • Mutual data-handling agreement executed before any sensitive data transfer.
  • Phase 3A and 3B engagements include a production readiness gate with documented failure-mode and blast-radius tests.

Requesting documentation

SOC 2 reports, the cyber insurance COI, the SBOM for in-scope software, the data-handling attestation, and our CMMC project status summary are available under NDA through your BTA point of contact. To start a request, email trust@gobta.com.

Reporting a security concern

To report a vulnerability or a potential security incident, contact security@gobta.com. Sensitive disclosures can be encrypted; we will provide a PGP key on request.