ISO 27001:2022, Certified. The Trust Was Engineered Before the Audit.

In enterprise AI, trust is the bottleneck. Not accuracy, not throughput, not cost per page. Trust. anyformat is now ISO 27001:2022 certified, and the controls were in place long before the auditor walked in.

In enterprise AI, trust is the bottleneck. Not accuracy, not throughput, not cost per page. Trust. And over the last few years, trust in this industry has been devalued by vendors that treat compliance as a marketing badge, and by a procurement culture that has learned to accept that badge at face value.

anyformat was built to process the most sensitive documents an enterprise has. That requires a level of trust that cannot be performed. It has to be engineered from the first commit, survive independent scrutiny, and hold up on the worst day, not the best.

Today it does. anyformat is ISO 27001:2022 certified.

What ISO 27001:2022 actually is

ISO 27001:2022 is the international standard for Information Security Management Systems. The 2022 revision restructured the control set into 93 controls grouped across four domains: organizational, people, physical, and technological. Those controls cover how an organization governs risk, manages access, protects data, handles incidents, assesses suppliers, and continuously improves its security posture in response to a changing threat landscape.

The certification is not a point-in-time audit. It is a management system certification. What it attests to is that anyformat runs a living ISMS (Information Security Management System): documented, operated, measured, and continuously improved. Surveillance audits follow every year, and full recertification every three.

Our audit was conducted by Prescient Security, an independent accredited certification body. Their role is to test our controls against evidence and operational reality, not to rubber-stamp a checklist produced by an automation platform. That distinction, between a certifier that verifies and a vendor that generates, is the one that increasingly decides whether a certificate is worth the paper it is printed on.

Why we chose the hard path

anyformat built its security architecture before pursuing certification. Encryption at rest with AES-256 and in transit with TLS 1.2 or higher. Identity and access management on a least-privilege model, with MFA on every administrative path. Centralized key management via AWS KMS, with documented rotation. Audit logging across the full document processing pipeline. Network segmentation between environments. These were not controls assembled to satisfy a template. They were the foundation we built the product on, and most of them predate the ISO project by years.

That order matters more than it sounds. When the ISMS precedes the audit, the audit becomes an exercise in verification, not construction. Policies describe what we already do. Evidence reflects what we already produce. Gaps found are real gaps worth fixing, rather than cosmetic ones invented to pass.

The broader context is worth naming. Compliance has been productized to the point where some automated platforms generate pre-filled evidence for controls that were never implemented, and pair that output with auditors who rubber-stamp the result. The recent Delve situation is a public example of what happens when that machinery breaks down. It is a reminder that a certificate is only as good as the rigor behind it.

We chose our auditors for rigor, not for speed. Finding a gap during an audit is a gift. Finding it after a breach is a disaster. That asymmetry is the entire argument for doing this properly, and it is the reason our timeline was measured in months rather than days.

What trust looks like under the hood

At the data protection layer, everything at rest is encrypted with AES-256, and everything in transit is protected by TLS 1.2 or higher. Keys are managed through AWS KMS, with documented rotation and access policies. Data is classified, retained, and disposed of under explicit written rules. Access is least-privilege by default, with MFA on every administrative account and no shared credentials anywhere in the platform.

Operational security is run as a process, not a posture. Our secure SDLC separates development and production environments, with security testing wired into the pipeline. Quarterly vulnerability scanning feeds a formal vulnerability management workflow with defined remediation SLAs. Patch management and change management follow written procedures with evidence trails. Logs are retained for at least six months, with anomaly detection layered on top. Our incident response plan is tested periodically and calibrated to the notification obligations of GDPR and our enterprise contracts. Offboarding closes within 24 hours of departure, across every system.

People and governance carry the same weight as the technical layer. Every hire passes background checks and signs NDAs before access is granted. Security awareness training is mandatory and refreshed. Duties are segregated, roles are defined, and a whistleblower channel exists for anyone inside or outside the company to raise a concern. Suppliers are assessed against the same controls we apply internally, and security clauses are embedded in their contracts.

Every field anyformat extracts from a document carries a confidence score, token by token. That is not an ISO control. It is the same principle expressed in the product: if we ask enterprises to trust our outputs, we owe them the ability to verify that trust at the most granular level.

The standard we hold

A certification is a promise, not a stamp. The certificate is now issued, and the work does not stop. Surveillance audits continue. The risk register is updated against real-world threat intelligence, not on an annual calendar. Controls are tested, policies are revised, and new technologies are scoped against the ISMS before they enter production.

anyformat was built for enterprises that cannot afford to discover their vendor's compliance was performative. ISO 27001:2022 is one expression of that commitment. The confidence scores on every extracted field are another. The EU data residency controls are another. They all point in the same direction.

Over the next twelve months the ISMS will expand, not contract. We will widen the scope of testing, tighten detection timelines, and bring new subsystems under the same control set as they go live. Enterprise trust is earned in small increments and lost in a single incident. The certificate is a checkpoint, not a finish line.