Trust Posture — Ambharii Labs

How we handle data

Two columns. Read carefully. We say what we do and what we explicitly do not do, so vendor questionnaires answer themselves.

What Ambharii Labs does

Consulting on AI architecture, evaluation, and security
Ships open-source frameworks (Bulwark, argus-ai, PulseFlow, TorchForge, CLARIFY, ScalableGen)
Hosts a static marketing website on GitHub Pages
Publishes static product demos using public, simulated test data only
Receives email at anil@ambharii.com (Google Workspace)

What Ambharii Labs does NOT do

Store, process, or transmit customer data on our infrastructure
Operate hosted SaaS products
Run shared multi-tenant services
Receive PHI, cardholder data, or other regulated data
Maintain production databases, application servers, or customer data lakes

Compliance alignment for engagements

For each regime, alignment — not certification. Ambharii Labs does not hold these audits. Engagements operate within the client's existing certification regime, with our work providing evidence artifacts the client's auditor can accept.

HIPAA

Engagements involving PHI run on the client's HIPAA-compliant infrastructure. Ambharii does not act as a Business Associate and does not enter into BAAs.

SOC 2

Open-source frameworks produce audit evidence (sealed entries) mapped to SOC 2 controls. Certification of the deployment is held by the client, not by Ambharii.

NERC CIP

For utility-sector work, engagements operate within the client's CIP-013 (supply chain) and CIP-007 (system security) boundaries.

PCI DSS

Payment data handling is scoped to client environments. Ambharii does not store, process, or transmit cardholder data and is therefore out of scope for the client's PCI assessment.

GDPR

Open-source products provide subject query and erasure primitives. The client is the data controller; Ambharii is neither controller nor processor in the GDPR sense.

ISO 27001

Ambharii Labs does not hold ISO 27001 certification. For engagements requiring an ISMS-aligned vendor, we work alongside the client's existing certified providers.

Self-hosted products

Bulwark, argus-ai, PulseFlow, TorchForge, CLARIFY, and ScalableGen are distributed under Apache 2.0. Customers run them on customer infrastructure.

Ambharii has no operational access to deployments and no data egress from customer environments. There is no telemetry, no phone-home, and no managed service component. Once installed, the software runs on the client's compute under the client's compliance regime.

Source code, release artifacts, and SBOM are publicly available on GitHub. Vulnerability disclosure follows each repository's SECURITY.md.

Subprocessors

Static-site infrastructure only. None of the services below receive customer data — because no customer data flows through Ambharii infrastructure in the first place.

Service	Purpose	Customer data?
GitHub (Pages)	Hosts ambharii.com and source repositories	None
Google Workspace	Receives email at anil@ambharii.com	None

If this list ever changes — e.g., we add an analytics provider or a hosted demo — this page is updated and the change is dated.

Security disclosure

For vulnerabilities in our open-source products (Bulwark, argus-ai, etc.), follow the SECURITY.md file in the relevant repository.

For vulnerabilities affecting ambharii.com or general security questions, email anil@ambharii.com. We aim to acknowledge promptly.

Responsible disclosure is welcomed. We will not pursue legal action against researchers who follow standard disclosure practices and act in good faith.

Vendor questionnaires & audit evidence

We respond to standard vendor security questionnaires (CAIQ, SIG Lite, custom client templates) when scoped to actual engagements.

For scoping, send the questionnaire and engagement scope to anil@ambharii.com. Most questions resolve to "out of scope — no customer data on Ambharii infrastructure"; this page is the source for that answer.

Trust posture, plainly stated.