Security & Compliance

Built on a foundation of trust.

Theoremic is designed for the enterprise. That means security, data integrity, and auditability are not features — they are the foundation everything else is built on.

01

Security Architecture

Data in Transit & At Rest

All data transmitted to and from Theoremic is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256. We do not store raw ERP data on our systems beyond what is necessary to execute an active workflow.

Access Controls

Theoremic enforces role-based access controls (RBAC) at the platform level. Every agent action is scoped to the permissions explicitly granted during deployment. No agent can read, write, or act on data outside its defined operational boundary.

Human-in-the-Loop by Design

Our Enterprise Guardrails layer ensures that agent decisions above defined risk thresholds are surfaced to human reviewers before execution. Automation does not mean unattended — it means precise, auditable, and accountable.

🔒

Encrypted Communications

TLS 1.2+ for all data in transit between Theoremic and your ERP environment.

🛡

Role-Based Access

Scoped permissions per agent, per workflow. Nothing acts beyond what it's been authorised to do.

📋

Full Audit Trails

Every agent decision, action, and escalation is logged with timestamps and actor context.

👤

Human Escalation

High-stakes decisions are flagged for human review before execution — automatically.

02

Compliance Posture

Our Current Posture

Theoremic is an early-stage company actively building toward formal certifications. We operate with the security discipline and internal controls consistent with enterprise SaaS standards, and we are on a clear path toward SOC 2 Type II attestation.

Enterprise Integration Standards

We connect to SAP, Oracle, Workday, Coupa, and other ERP platforms via standard enterprise APIs and Model Context Protocol (MCP). Our integration approach does not require privileged system access or custom connectors that introduce additional risk surface.

Data Residency

We work with pilot partners to understand and accommodate data residency requirements. Customer data is not used to train shared models or surfaced across tenant boundaries under any circumstances.

SOC 2 Type II — In Progress GDPR-Aligned Practices Standard Enterprise API Integrations
A note on our stage. Theoremic is currently in pilot deployment with a select group of enterprise partners. Our compliance posture will evolve alongside our certifications. We commit to transparency about where we are and where we are going — and to never overstating our position.

03

Questions & Disclosures

Security Inquiries

Enterprise partners with specific security or compliance questions are encouraged to contact our founding team directly. We are available to discuss architecture, data handling practices, and specific requirements as part of any pilot engagement.

Responsible Disclosure

If you believe you have identified a security vulnerability in Theoremic's platform, we ask that you notify us responsibly before public disclosure. Please reach out directly to our team and we will respond within 48 hours.

security@theoremic.com