Introduction

Loamist Validator™ is an AI-powered platform that processes trade documentation and validates supply chain compliance for regulated industries. We integrate with Google's Gemini large language models (LLMs) to automate document processing while maintaining enterprise-grade security and privacy.

This whitepaper explains how we handle your data, our security practices, and our approach to building AI tools for regulated supply chains.

Core Commitments

Your Data is Your Data

We process your data only according to your instructions. When you upload trade documents, compliance certificates, or supply chain data to Loamist:

  • Your data remains your data — You control it, you own it, and you can delete it at any time
  • Your data never trains our models — We do not use your documents to improve our systems or train AI models
  • Your data stays within your account — Documents are never shared across organizations
  • Delete anytime — Remove documents via the interface or on request; upon account closure, all data deleted within 30 days

What We Will Not Do

  • We will never sell your data — Your documents and extracted data are never sold or monetized
  • We will never train models on your data — AI processing does not feed back into model training
  • We will never share data across customers — Complete isolation between organizations
  • We will never use your data for advertising — No ads, no tracking, no secondary use

Enterprise-Grade Security and Privacy

  • Encryption everywhere — TLS 1.3 in transit, AES-256 at rest
  • Complete audit trails — Immutable logs of every action, every user, every document
  • Access controls — Role-based permissions with SSO support
  • Certifications in progress — SOC 2 Type II (Q1 2026), ISO 27001 (Q2 2026)

Privacy Principles in Detail

Your Data is Your Data

Customer data belongs to you and only you. When you upload documents to Loamist:

  • Documents are processed using Google's Gemini models via their API — Google does not use Enterprise API customer data to train their models
  • Your data stays within your account and is not shared across organizations
  • You maintain complete control over retention and deletion

Encryption and Security

All data is encrypted at all times:

  • In transit: TLS 1.3 encryption
  • At rest: AES-256 encryption
  • During processing: Documents remain encrypted throughout the validation pipeline

Access control:

  • Role-based permissions control who can upload, review, and approve documents
  • Single Sign-On (SSO) support for Google Workspace (Microsoft Azure AD and SAML in roadmap for 2026)
  • All access logged with user attribution and timestamps

Data Retention

Your data is retained while your account is active:

  • Delete documents at any time via the Loamist interface or on request
  • Upon account closure: all customer data deleted within 30 days

Audit logs retained for 7 years to support regulatory audits — these are immutable records of every processing event, user access, and validation decision.

Security Infrastructure

Cloud Infrastructure on AWS

Enterprise-grade cloud security with multiple layers of protection:

  • Web Application Firewall (WAF) — Protection against common web exploits
  • DDoS protection — AWS Shield for network and transport layer protection
  • Network isolation — VPC segmentation with private subnets for sensitive components
  • Infrastructure monitoring — CloudWatch for real-time monitoring and alerting
  • Compliance foundation — AWS maintains SOC 2, ISO 27001, GDPR, HIPAA, and FedRAMP certifications

AI Processing via Google Gemini API

Secure API integration with Google's enterprise AI:

  • Document processing leverages Google's Gemini models via secure API calls
  • Google's enterprise commitment: API customer data is not used to train models
  • Benefits from Google's AI security infrastructure (prompt injection defenses, adversarial testing)

Application Security Practices

Secure development and operations:

  • Regular security updates and patch management
  • Secure development lifecycle with code reviews
  • Dependency scanning for vulnerabilities
  • Automated security testing in CI/CD pipeline

Authentication and access:

  • Single Sign-On (SSO) support for Google Workspace (Microsoft Azure AD and SAML in roadmap for 2026)
  • Session management with automatic timeout

Monitoring and alerting:

  • Continuous monitoring for suspicious activity
  • Automated alerts for failed authentication, unusual access patterns, or system anomalies
  • Integration with customer SIEM systems available

Compliance and Certifications

Security Certifications In Progress

SOC 2 Type II (Expected February 2026)

  • Independent audit of security, availability, and confidentiality controls in progress
  • All security tests currently passing in Vanta (our compliance monitoring platform)
  • Validates responsible customer data management

ISO/IEC 27001 (Target Q2 2026)

  • Information Security Management System (ISMS) aligned with global standards
  • Systematic approach to managing sensitive information

Industry-Specific Compliance Support

Trade Finance and Letters of Credit:

  • UCP 600 (Uniform Customs and Practice for Documentary Credits) — ICC Publication No. 600, governing international letters of credit across 175+ countries
  • Strict compliance verification for letter of credit terms
  • Commercial invoice validation (description accuracy, amount verification)
  • Transport document verification (bills of lading, cleanliness requirements, signature validation)
  • ISBP 745 (International Standard Banking Practice) — companion guide for document examination

How Loamist Supports Compliance

  • Automated extraction of required data fields with strict compliance verification for letter of credit transactions
  • Geospatial validation for location-dependent compliance requirements
  • Document consistency checking across related documents (invoices, bills of lading, certificates) per UCP 600 Article 14(d)
  • Chain-of-custody audit trails for regulatory claims and certifications
  • Flagging of common discrepancies in documentation (invoice amounts, transport document issues, missing signatures)
  • Compliance reports with supporting documentation

Deployment Options

Current: Cloud Deployment on AWS

Cloud-based SaaS platform in US regions:

  • Load balancing across multiple availability zones within a region
  • Currently deployed in US AWS regions
  • Regional data residency options (including EU) planned for future expansion
  • AWS security features: WAF, Shield DDoS protection, VPC isolation
  • 99.9% uptime target
  • Automatic scaling

Future: On-Premises and Air-Gapped Options

Aligned with Google's infrastructure roadmap:

Google is expanding Gemini availability to on-premises environments via Google Distributed Cloud (GDC), enabling customers to run Gemini models entirely within their own data centers—including air-gapped environments for classified workloads.

Loamist's intent: As Google makes these capabilities available, we plan to offer on-premises deployment options for customers with strict data residency requirements:

  • On-premises — Run Loamist Validator™ in your data center with GDC infrastructure
  • Air-gapped — Complete network isolation for sensitive environments
  • Hybrid — Process sensitive documents on-premises, leverage cloud for other workloads

Timeline: Following Google's GDC roadmap (2025 and beyond)

Why this matters: Customers in regulated industries (government, defense, critical infrastructure, financial services) will be able to use Loamist's AI capabilities without data leaving their premises.

Data Governance

All Customer Data is Confidential

No data classification tiers — everything is treated as confidential and restricted:

  • Only users within your organization can access your documents
  • No cross-organization data sharing
  • No external use for training, advertising, or other purposes
  • Encryption applied uniformly to all data

Audit and Transparency

Chain-of-custody logging:

  • Every document upload, processing event, and user action is logged
  • Logs include timestamps, user IDs, document IDs, and validation decisions
  • Immutable audit trail for regulatory compliance (cannot be altered after creation)

Confidence scoring:

  • AI extractions include confidence scores (0-100%) for each data field
  • Low-confidence extractions flagged for human review
  • Complete visibility into what AI extracted and its certainty level

Data access and portability:

  • Export all data at any time (documents, extracted data, audit logs)
  • Standard formats: JSON, CSV, PDF reports
  • No lock-in — you own your data

Human Review and Validation

AI automation with human oversight for compliance decisions:

Confidence Thresholds

  • High confidence (>90%) — Automatic approval for standard documents
  • Medium confidence (70-90%) — Flagged for human review
  • Low confidence (<70%) — Requires manual processing

Review Interface

  • Side-by-side view of original document and extracted data
  • Highlighting shows where AI found each piece of information
  • Reviewers can accept, correct, or reject extractions
  • All reviews logged in the audit trail

Business Continuity

High Availability

Cloud infrastructure:

  • Load balancing across availability zones with automatic failover
  • Automatic scaling to handle volume spikes

Backup and recovery:

  • Continuous database replication
  • Snapshot backups every 4 hours
  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 1 hour

Monitoring:

  • 24/7 system monitoring
  • Automated alerts for performance degradation or outages

Frequently Asked Questions

Does Loamist use my data to train AI models?

No. Your data is never used to train models. When we process your documents through Google's Gemini API, Google's enterprise commitment ensures that API customer data is not used to train their models. Loamist does not use your documents for any purpose other than processing them according to your instructions.

Who can access my documents?

Only users within your organization can access your documents.

  • Documents are isolated to your account — no cross-organization access
  • Role-based permissions control which users in your organization can view, upload, or approve documents
  • Loamist staff cannot access your data without a legitimate support need and your explicit permission
  • All access is logged in immutable audit trails

What third-party services does Loamist use?

We use carefully selected infrastructure and service providers:

  • AWS — Cloud infrastructure and hosting (SOC 2 Type II, ISO 27001, GDPR certified)
  • Google Gemini API — AI document processing (does not train on your data)

All vendors are bound by strict data processing agreements and only access data to the extent necessary to provide services. AWS, Google, and Inngest maintain enterprise-grade security certifications.

Where is my data stored and processed?

Your data is stored in AWS US regions.

  • Documents are stored at rest in US AWS regions
  • Processing occurs within the same region using regional APIs
  • Google Gemini API calls use regional endpoints to maintain data locality
  • Regional data residency options (including EU) planned for future expansion

How long is my data retained?

Your data is retained while your account is active:

  • Delete documents at any time via the interface or on request
  • Upon account closure, all data is deleted within 30 days
  • Audit logs are retained for 7 years for compliance purposes (these contain metadata, not document content)

Can I export or delete my data?

Yes. You maintain complete control over your data.

  • Export all documents, extracted data, and audit logs at any time
  • Standard formats: JSON, CSV, PDF reports
  • Delete individual documents or bulk delete via the interface
  • No lock-in — you own your data and can take it with you

What happens during AI processing?

Documents are processed securely and never leave your control:

  1. Document uploaded (encrypted in transit via TLS 1.3)
  2. Stored encrypted at rest (AES-256) in your region
  3. Sent to Google Gemini API via encrypted regional endpoint
  4. AI extracts structured data (dates, quantities, entities)
  5. Extracted data returned to Loamist and stored encrypted
  6. Validation rules applied (geospatial checks, compliance verification)
  7. Results logged in immutable audit trail

Your original document never trains any models. Google does not store, log, or use Enterprise API inputs or outputs for model training.

How does geospatial validation work with privacy?

Geospatial validation adds a deterministic layer without compromising privacy:

  • Location data extracted from documents (addresses, coordinates) is validated against satellite imagery and land use databases
  • This validation occurs within our secure infrastructure
  • Location data is stored encrypted alongside other extracted data
  • Only your organization can see the geospatial analysis results

What certifications does Loamist have?

We are actively pursuing enterprise security certifications:

  • SOC 2 Type II — Expected Q1 2026 (all security tests currently passing in Vanta)
  • ISO/IEC 27001 — Target Q2 2026

We inherit additional protections from our infrastructure: AWS maintains SOC 2, ISO 27001, GDPR, HIPAA, and FedRAMP certifications. Google Cloud maintains similar enterprise-grade certifications.

Can I audit Loamist's security practices?

Yes. We support security reviews and questionnaires:

  • Complete security questionnaires for procurement
  • Provide SOC 2 reports once certification is complete
  • Support customer security assessments
  • Maintain detailed audit logs you can review at any time
  • Contact support@loamist.com for security documentation

What happens if there's a data breach?

We maintain incident response procedures:

  • 24/7 security monitoring with automated alerting
  • Defined incident response procedures
  • Customer notification within 72 hours of confirmed breach
  • Coordination with customers on remediation
  • Post-incident analysis and prevention measures

Our infrastructure benefits from AWS and Google's security monitoring and threat detection systems.

Contact Us

For more information about Loamist's security practices, certifications, and compliance capabilities:

Website: www.loamist.com

Support: support@loamist.com

Summary

Loamist provides AI-powered supply chain validation for regulated industries with privacy and security built in from day one.

Core Commitments

  • Your data is your data — You control it, you own it, and you can delete it at any time
  • Your data never trains our models — No model training, no secondary use, no data sharing across customers
  • Enterprise-grade security — Encryption everywhere (TLS 1.3, AES-256), complete audit trails, SOC 2 and ISO 27001 in progress
  • Compliance-focused — Purpose-built for international trade finance, sustainable materials, and regulated supply chains
  • Transparent AI — Confidence scoring and human review for all validation decisions
  • Deployment flexibility — Cloud today, on-premises options planned as Google enables them

What We Will Not Do

  • We will never sell your data
  • We will never train models on your data
  • We will never share data across customers
  • We will never use your data for advertising

We're building Loamist with security, privacy, and compliance as foundational principles. As we grow, we're committed to maintaining these standards while expanding our capabilities to serve regulated supply chains worldwide.