Skip to content
Trust & Compliance

How we earn your trust

Pilon Qubit Ventures is operator-built and audit-trail-first. This page lists what we have, what is in progress, and what we do not yet have, so you can evaluate before you sign. Every claim below is anchored to either a control we operate or a regulation we align to. We do not claim certifications we have not earned.

Last reviewed: July 6, 2026

Compliance posture

Status of every artifact a buyer asks for

If your procurement team needs an artifact that is not listed below, write to legal@pilonqubitventures.com and we will tell you whether it exists, when it will exist, or why it does not apply.

ArtifactStatusDetail
SOC 2 Type II, infrastructureLive

Our hosting, database, payments, voice, and email infrastructure all hold SOC 2 Type II attestations: Vercel (hosting and edge), Supabase (database), Stripe (payments), Google Cloud (Sofia voice), Twilio (telephony). Customer data flows through SOC 2 Type II-attested platforms.

SOC 2 Type II, PQV (own attestation)In Progress

PQV's own SOC 2 readiness work is underway, mapping controls against the AICPA Trust Services Criteria (Security, Availability, Confidentiality). We do not yet claim a PQV-issued SOC 2 attestation; we will publish the report when issued.

Target: Type I target Q4 2026, Type II target Q3 2027

Data Processing Agreement (DPA)On Request

Standard DPA available on request, with Standard Contractual Clauses for international transfers where applicable. We are working to publish a self-serve DPA PDF.

Master Services Agreement (MSA)On Request

Standard MSA available on request. Custom redlines reviewed by our legal operator within 5 business days.

Sub-processor listLive

Published in full below. We notify customers of material additions via email at least 30 days before they take effect, where contract terms require notice.

Privacy PolicyLive

Published on our public site. Describes what we collect, why, and how to exercise rights under GDPR, CCPA/CPRA, and other applicable laws.

Reference: pilonqubitventures.com/privacy

Terms of ServiceLive

Published on our public site. Governs use of the bench and any deliverables produced through it.

Reference: pilonqubitventures.com/terms

Cookies PolicyLive

Published on our public site. Lists every cookie set on our marketing surfaces and the basis for each.

Reference: pilonqubitventures.com/cookies

Breach notification SLALive

Customer notification within 72 hours of CONFIRMED unauthorized access to customer data. Confirmation occurs after our security investigation establishes that unauthorized access in fact took place; the 72-hour clock begins at confirmation, not at the moment of suspicion or alert.

Reference: GDPR Art. 33 (where applicable)

Penetration testRoadmap

External third-party penetration test scheduled alongside SOC 2 Type I engagement. Quarterly internal vulnerability scanning is in place today.

Target: Initial test Q4 2026

Vulnerability disclosureLive

Reports to security@pilonqubitventures.com are triaged within 24 hours. We coordinate disclosure timelines with researchers in good faith.

Sub-processors

Every third-party service that may touch customer data

We use the smallest set of sub-processors we can. We name them all. Material additions are notified to customers under their DPA before taking effect.

Ollama Cloud (Ollama, Inc.)

United States

Large-language-model inference for our AI-powered skills.

Vendor compliance page

Supabase, Inc.

United States

Primary application database (lead-form submissions, account data, audit log) and authentication.

Vendor compliance page

Stripe, Inc.

United States

Payments and subscription billing. PQV does not see or store cardholder data; Stripe is PCI DSS Level 1.

Vendor compliance page

Resend (Resend, Inc.)

United States

Transactional email delivery (briefing confirmations, account notifications).

Vendor compliance page

Twilio Inc.

United States

Telephony and programmable voice for the Sofia AI receptionist phone channel.

Vendor compliance page

Google Cloud (Google LLC), Vertex AI

United States

Native-audio speech model that powers the Sofia AI voice channel (web widget and phone).

Vendor compliance page

Google (Google LLC), YouTube Data API v3

United States

Competitive-analysis skill (/skills/yt-competitive-analysis), channel and video metadata only. No PII transmitted.

Vendor compliance page

Tavily (AlphaAI Technologies Inc.)

United States

AI-search citation probe for the free visibility audit. We send the audited brand or domain and a search query to check whether AI answer engines cite it. No account PII is transmitted.

Vendor compliance page

Hostinger International Ltd.

United States (datacenter region)

Virtual private server hosting for marketing.pilonqubitventures.com and the Sofia AI services.

Vendor compliance page

Vercel, Inc.

United States

Hosting and edge delivery for the public site at pilonqubitventures.com (separate surface from marketing.pilonqubitventures.com).

Vendor compliance page
SMS Communications

How we use text messaging, what you consent to, how to opt out

PQV is registered with The Campaign Registry (TCR) for A2P 10DLC messaging under the LOW_VOLUME use case. This section documents the exact program a buyer or carrier reviewer can verify.

What we send

Transactional notifications only. Three categories:

  • Receipts and confirmations after a discovery call or scoping session you initiated.
  • Callback notifications when you asked us to call you back.
  • Engagement updates to clients with an active Pack engagement.

No marketing messages. No bulk send. Every message includes the brand identifier PQV and reply STOP to opt out, HELP for help.

How you opt in

Three opt-in paths, all explicit and logged:

  • Verbal consent on the phone, captured by Sofia (our AI receptionist) before any SMS is queued. The recording of the consent moment is retained for 30 days.
  • Checkbox on our Discovery Sprint intake or quick intake form. Unchecked by default.
  • Reply START (or YES, SUBSCRIBE) to any PQV number to re-opt-in after a previous STOP.

Every opt-in event is logged with timestamp, source, and (for web) IP address. Consent records are retained for the lifetime of your engagement plus 7 years.

Frequency and rates

Up to 4 messages per month per recipient. Most recipients receive 0 to 2 per month.

Message and data rates may apply depending on your mobile carrier and plan. PQV does not charge for text messages; any charges are between you and your carrier.

Outbound number: +1 (830) 666-3862. Inbound replies route to the same number and are read by a named PQV operator.

Opt out, help, contact

Opt out at any time by replying any of: STOP, STOPALL, CANCEL, END, QUIT, UNSUBSCRIBE, REVOKE, OPTOUT. We process the opt-out immediately and confirm.

For help, reply HELP or INFO and we will reply with contact information.

Questions about your SMS consent or data: privacy@pilonqubitventures.com.

Carrier compliance note: this SMS program is registered with The Campaign Registry (TCR) and reviewed by the major US wireless carriers as part of A2P 10DLC. Our registered Brand is Pilon Qubit Ventures LLC, and our Campaign use case is LOW_VOLUME under the Customer Care and Account Notifications categories. Full review documentation available to procurement on request to legal@pilonqubitventures.com.

Scope of service

Industries we serve, and how we handle regulated requests

The public PQV product targets non-regulated industries by design. Regulated buyers are served only through custom enterprise engagements where the compliance addendum is built into the scope. Pricing is shared in your proposal, not on this page.

Default scope

Standard engagements serve these industries without additional compliance addendums:

  • Veterinary practices, dental groups (non-PHI marketing only), boutique fitness chains, wellness studios.
  • Restaurants, hospitality, home services (HVAC, plumbing, landscaping), retail.
  • B2B SaaS startups, DTC e-commerce brands, course creators, podcasters, marketing agencies.
  • Manufacturers, architecture and engineering firms, auto dealer groups, real estate brokerages.

Regulated industries, custom engagement only

For these sectors, the compliance addendum is built into the engagement scope:

  • Healthcare (HIPAA-bound flows)
  • Legal services
  • Financial advisors and broker-dealers
  • Tax preparation

Available only through a custom enterprise engagement. The engagement scope produces the compliance addendum required for that industry, for example a Business Associate Agreement for healthcare, an IRC §7216 consent flow for tax preparation, or a Model Rule 5.3 vendor-due-diligence package for legal services. Engagement scope and fees are agreed in your signed agreement before work begins. Contact legal@pilonqubitventures.com to scope.

Direct lines

Where to send security, legal, and privacy correspondence

Security

security@pilonqubitventures.com

Vulnerability reports, incident inquiries, customer security questionnaires. Triage within 24 hours.

Legal

legal@pilonqubitventures.com

Contract review, MSA and DPA negotiation, BAA requests, IP and licensing. Initial response within 1 business day.

Privacy

privacy@pilonqubitventures.com

Data-subject access, deletion, and correction requests under GDPR, CCPA/CPRA, and equivalent regimes. Acknowledged within 72 hours.

What we do not have yet

We list the gaps because hiding them creates audit risk and erodes trust. If any item below is a deal-breaker for your procurement team, tell us; we will give you an honest timeline rather than a marketing answer.

  • A finalized SOC 2 Type II attestation. Readiness work is in progress; we will publish the report when issued.
  • ISO 27001 certification. Not on the 12-month roadmap; we may add it after SOC 2 Type II based on customer demand.
  • PCI DSS attestation. We use Stripe for card processing and do not store cardholder data on PQV systems, so we operate as a Stripe merchant rather than a PCI service provider.
  • A self-serve sub-processor change-notification mailing list. Today, notice is delivered through your account contact under the terms of your DPA.
  • An external third-party penetration test report. Scheduled alongside the SOC 2 engagement.

Need a custom DPA, BAA, or full compliance review?

Brief the team and our legal operator will respond within 24 hours with the artifacts your procurement team needs, redlines, and an executed timeline.

This page is informational and does not, by itself, create a contract or grant a license. Specific obligations between you and Pilon Qubit Ventures are governed by your Master Services Agreement, Data Processing Agreement, Business Associate Agreement, and any order form executed by both parties. Where this page and an executed agreement disagree, the executed agreement controls. Contact us for executed copies.

Brief the team once. Ship every week.

Tell us the outcome you want to move: traffic, pipeline, brand, or all three. A named operator owns the ticket end to end. Every output passes a human review pass before it leaves the building, and you see it before the week is out.