VitruAI Security Posture
The VitruAI Security Posture page sets out, in plain English, how Letzgro, Inc., a Delaware corporation, handles customer model files, project data, and AI-output liability across Revit, ArchiCAD, Rhino, and AutoCAD deployments. It is designed as the artefact forwarded to security review teams, with SOC 2 status and related attestations broker-pending until confirmed.
- Clear data-handling description: what model data leaves your network, where it resides, who can access it, and typical retention windows.
- Documented AI-output liability framing so the architect-of-record keeps authority while VitruAI agents flag, suggest, and draft.
- Transparent compliance posture with SOC 2 status broker-pending and data-region commitments and sub-processor list available on request.
What this trust posture covers.
-
Data handling
VitruAI agents read Revit, ArchiCAD, Rhino, and AutoCAD model files on the customer’s authorised side, typically via a signed add-in such as the VitruAI + Revit integration or an ACC connector. Only structured findings—element IDs, rule references, measurement values, and limited context—leave the customer environment by default. No bulk model upload is required for the Code Compliance Agent or similar workflows unless a customer explicitly enables it for a specific use case. Customers can review and amend a full data-flow inventory, including BIM 360 / ACC paths, at any time as part of the Trust Center pack.
-
Tenant regions
VitruAI workspaces are provisioned into eu-central or me-central tenant regions, with data residency commitments documented per region. Customers choose their tenant region during workspace setup, and that choice governs where structured findings, logs, and configuration data are stored. Multi-region firms can request separate workspaces per geography to keep EU and Middle East projects isolated. Region selection applies consistently across integrations, including VitruAI + Revit desktop add-ins and any BIM 360 / ACC integration used for model access.
-
Sub-processor list
VitruAI maintains a written sub-processor list describing each provider’s role, region, and data categorisation, including whether they handle structured findings, telemetry, or support tickets. Customers receive at least 30 days’ notice before any new sub-processor is added, giving time for internal review or objection under the MSA. The current list, with data-region mapping and service scope, is available on request through the Trust Center pack and is updated when integrations such as BIM 360 / ACC expand.
-
AI-output liability
VitruAI agents flag issues, propose remediations, and draft narratives; the architect-of-record or equivalent licensed professional always reviews and signs. The MSA and its Appendix describe this allocation of responsibility in detail, including examples such as code-check comments from the Code Compliance Agent or clash summaries exported from Revit. VitruAI does not hold itself out as the designer of record, and the tools are configured so that users can see which suggestions were machine-generated before incorporating them into contract documents.
-
SOC 2 status
VitruAI’s SOC 2 posture is broker-pending, with audit firm selection, audit fieldwork, and report publication in progress. Once broker-confirmed, the specific SOC 2 Type, audit period, and report-availability process will be documented in the Trust Center pack and reflected in the MSA security exhibit. Until then, VitruAI follows a written control framework covering access control, change management, incident response, and data retention, and shares control descriptions under NDA for procurement-stage review.
-
Insurance
VitruAI maintains technology errors and omissions coverage, with carrier and policy details available on request once the broker confirms public-disclosure scope. Insurance is structured to align with the allocation of responsibility in the MSA, including AI-output liability framing and exclusions that keep the architect-of-record’s professional duty intact. Procurement teams can review high-level coverage outlines, limits ranges, and notification procedures as part of the Trust Center pack, alongside SOC 2 status and sub-processor information.
Security, compliance, and liability — common questions
-
Where does our model data live?
VitruAI agents typically run on the customer side, for example inside Revit via the VitruAI + Revit integration, so full model files stay on your authorised network or within your chosen CDE. By default, only structured findings such as element IDs, rule references, and measurement values leave your environment, not the entire RVT or IFC. Bulk model upload is an explicit opt-in per workspace, and tenant-region selection (eu-central or me-central) controls where those structured findings and logs are stored.
-
What about the underlying language model?
VitruAI may route prompts to one or more underlying language models as an implementation detail, but customer model data is not used to train any third-party model. Contractual assurances about training restrictions, retention windows, and sub-processor obligations live in the MSA and data-processing Appendix. For workflows such as Code Compliance Agent checks on Revit models or ACC-hosted files via the BIM 360 / ACC integration, prompts are constructed from structured findings rather than raw model uploads wherever possible.
-
What’s VitruAI’s SOC 2 status?
VitruAI’s SOC 2 status is broker-pending, with audit firm engagement and reporting timelines in progress. Once confirmed, the SOC 2 Type, audit period, and report-sharing process will be published through the Trust Center pack for procurement teams. Until then, VitruAI operates against a documented control framework and can provide written descriptions of access control, change management, and incident-response practices under NDA.
-
Who signs off on agent output?
The architect-of-record, or an equivalent licensed professional, always reviews and signs off on any VitruAI agent output that affects contract documents or permit submissions. Agents such as the Code Compliance Agent provide flags, measurements, and suggested remediations, but they do not replace professional judgement or local practice. The MSA and Appendix describe this allocation of responsibility, including examples for code review, clash coordination, and model-cleanup tasks inside tools like Revit and ACC.
-
Is there a Trust Center we can request for our security review?
Yes. Procurement teams can request the VitruAI Trust Center pack through the contact form or via their account representative, and it is typically sent within 1 business day. The pack includes the latest SOC 2 status, sub-processor list, MSA and security Appendix templates, data-flow inventory for integrations such as VitruAI + Revit and BIM 360 / ACC, and AI-output liability framing. Where broker-confirmed, it also includes instructions for requesting the full SOC 2 report under NDA.
Ready to see it on your model?
For procurement-stage diligence, request the VitruAI Trust Center pack. We share current SOC 2 status, sub-processor list, data-flow inventory, and MSA templates within 1 business day so your security team can complete its review without guesswork.
Book a demo