Ishavi
Charter Vol. II2026
Rigorous + fair knowledge verification

What we promise. What we protect. What we publish.

Ishavi runs structured AI voice interviews where every recommendation is anchored in transcript evidence and every decision is appealable. This page is the standing record of the controls, certifications, and commitments that back the product.

  1. 01

    Section 01

    Our promises

    The Trust Center is a standing document, not a marketing page. Every commitment listed here is enforced in the product or backed by an active control. When a control is in progress, we say so.

    • Evidence-anchored scoring -- every recommendation cites verbatim transcript excerpts.
    • Mandatory human review on appeal, on a published SLA.
    • Region-pinned data residency from day one; no cross-region replication without explicit tenant consent.
    • No covert surveillance -- the candidate sees the full list of signals captured during a session.
    • No training on customer data without an opt-in, per-tenant, written agreement.

  2. 02

    Section 02

    Security

    Defense-in-depth across transport, storage, identity, and operations. Production reads from a single tenant-scoped key derivation path; nothing in the platform sees more than one tenant at a time except a small list of audited admin paths.

    • TLS 1.2+ everywhere; HSTS preload on ishavi.app.
    • AES-256 server-side encryption at rest (Postgres, R2 object storage).
    • WorkOS for identity; passwordless + SSO supported.
    • Sentry-monitored error budget; on-call rotation documented in the runbook.
    • Quarterly access reviews of production secrets and bastion hosts.
    • SOC 2 Type I target: Q4 2026. SOC 2 Type II target: Q3 2027.

  3. 03

    Section 03

    Compliance roadmap

    Ishavi is built region-aware from the first commit. The compliance posture matures along a published path; pre-GA tenants get the same controls as GA tenants, marked by their certification stage.

    • GDPR (EU) -- DPA Module 2 SCCs offered; Art. 13 disclosures live; DPO retained on retainer.
    • DPDP Act (India) -- Significant Data Fiduciary status assessed; consent manager integration scheduled Q4 2026.
    • CCPA / CPRA (California) -- right-to-know, deletion, and opt-out endpoints live.
    • EU AI Act -- limited-risk transparency obligations (Art. 50) live; high-risk obligations under review with outside counsel.
    • NYC Local Law 144 -- candidate-notice text live; bias audit scheduled Q3 2026.
    • ISO/IEC 42001 -- gap assessment Q2 2027.

  4. 04

    Section 04

    AI ethics

    Ishavi is a knowledge-verification system, not a personality predictor. We do not infer protected characteristics, we do not score on accent or gender of voice, and we do not let a single model output close a hiring decision without a human in the loop.

    • Published model card covering intended use, training data sources, evaluation metrics, and known limitations.
    • Demographic-stratified performance reporting (audit pending Q3 2026).
    • Bias incidents reportable directly to privacy@ishavi.app; tracked publicly in the next model-card revision.
    • No emotion inference, lip-sync analysis, or gaze tracking enabled by default; opt-in per job and forcibly off in EU jurisdictions.
    • Candidate Bill of Rights is product, not policy -- every right has an enforcement path.

  5. 05

    Section 05

    Data residency

    Tenants pick a region at sign-up; every domain row carries that region end-to-end and the application refuses to read across the boundary. Cross-region access requires an explicit, audited override and the tenant's written consent.

    • EU tenants: ap-south-1 Mumbai -- to be replaced by eu-central-1 Frankfurt in Q3 2026.
    • US tenants: us-east-1.
    • IN tenants: ap-south-1 Mumbai (Supabase) with R2 EU as the storage fallback for legal holds.
    • UK tenants: Frankfurt with adequacy decision; addendum on request.
    • International transfers: SCC Module 2 (EU controller -> non-EU processor); EU-US Data Privacy Framework self-certification pending.
The standing record

Read the rest of the file.

The Trust Center is the index. The documents below are the load-bearing pieces -- they cover model behavior, sub-processors, candidate rights, and the contractual posture.

Third-party audit report: pending. SOC 2 Type I target Q4 2026 -- the report will be linked here under NDA once issued.

Need something not listed here?

Reach the privacy + security team.

DPA requests, security questionnaires, penetration-test permission requests, and data-subject inquiries all route to the same inbox. We respond within two business days.