Ishavi
Charter Vol. II2026
Rigorous + fair knowledge verification

What we promise. What we protect. What we publish.

Ishavi runs structured AI voice interviews where every recommendation is anchored in transcript evidence and every decision is appealable. This page is the standing record of the controls, certifications, and commitments that back the product.

  1. 01

    Section 01

    Our promises

    The Trust Center is a standing document, not a marketing page. Every commitment listed here is enforced in the product or backed by an active control. When a control is in progress, we say so.

    • Evidence-anchored scoring -- every recommendation cites verbatim transcript excerpts.
    • Mandatory human review on appeal, on a published SLA.
    • Region-pinned data residency from day one; no cross-region replication without explicit tenant consent.
    • No covert surveillance -- the candidate sees the full list of signals captured during a session.
    • No training on customer data without an opt-in, per-tenant, written agreement.
  2. 02

    Section 02

    Security

    Defense-in-depth across transport, storage, identity, and operations. Production reads from a single tenant-scoped key derivation path; nothing in the platform sees more than one tenant at a time except a small list of audited admin paths.

    • TLS 1.2+ everywhere; HSTS preload on ishavi.app.
    • AES-256 server-side encryption at rest (Postgres, R2 object storage).
    • WorkOS for identity; passwordless + SSO supported.
    • Sentry-monitored error budget; incident runbook maintained by the founder.
    • Access reviews of production secrets are a planned operational control as the team grows beyond a solo operator.
    • SOC 2 Type I and Type II are planned, not yet in progress -- no audit engagement is contracted yet (tracked in /.well-known/trust.json).
  3. 03

    Section 03

    Compliance roadmap

    Ishavi is built region-aware from the first commit. The compliance posture matures along a published path; pre-GA tenants get the same controls as GA tenants, marked by their certification stage.

    • GDPR (EU) -- DPA Module 2 SCCs offered; Art. 13 disclosures live; the founder is the named privacy contact, with an external DPO planned as the team grows.
    • DPDP Act (India) -- Significant Data Fiduciary status assessed; consent manager integration scheduled Q4 2026.
    • CCPA / CPRA (California) -- right-to-know, deletion, and opt-out endpoints live.
    • EU AI Act -- limited-risk transparency obligations (Art. 50) live; high-risk obligations under review with outside counsel.
    • NYC Local Law 144 -- candidate-notice text live; bias audit scheduled Q3 2026.
    • ISO/IEC 42001 -- gap assessment Q2 2027.
  4. 04

    Section 04

    AI ethics

    Ishavi is a knowledge-verification system, not a personality predictor. We do not infer protected characteristics, we do not score on accent or gender of voice, and we do not let a single model output close a hiring decision without a human in the loop.

    • Published model card covering intended use, training data sources, evaluation metrics, and known limitations.
    • Demographic-stratified performance reporting (audit pending Q3 2026).
    • Bias incidents reportable directly to privacy@ishavi.app; tracked publicly in the next model-card revision.
    • No emotion inference, lip-sync analysis, or gaze tracking enabled by default; opt-in per job and forcibly off in EU jurisdictions.
    • Candidate Bill of Rights is product, not policy -- every right has an enforcement path.
  5. 05

    Section 05

    Data residency

    Year 1 runs in a single region: ap-south-1 (Mumbai). The schema is region-aware from the first commit -- every tenant carries a region tag and every domain row carries it end-to-end -- so additional regions can be added without a data-model change. Until then, every tenant's data lives in Mumbai.

    • Live today: all tenants on ap-south-1 (Mumbai). Postgres via Supabase; object storage on Cloudflare R2.
    • Planned: eu-central-1 (Frankfurt) for EU tenants, brought online when EU demand calls for it.
    • Planned: us-east-1 for US tenants, on the same residency-routing layer.
    • Planned: a UK residency option with the appropriate transfer mechanism.
    • International transfers today rely on SCC Module 2 (EU controller -> non-EU processor) given the single Mumbai region; per-region residency replaces this as each region lands.
Need something not listed here?

Reach the privacy + security team.

DPA requests, security questionnaires, penetration-test permission requests, and data-subject inquiries all route to the same inbox. We respond within two business days.

Cookie consent

Ishavi uses strictly necessary cookies to run the authentication session and remember your tenant. Analytics and functional cookies are off by default. You can change this at any time on the cookie policy page.