Compliance posture, not compliance theater.
We don’t claim certifications we don’t hold. Below is what’s actually true today, what’s in progress, and what’s on the Enterprise roadmap. Procurement reviewers can request the full Trust Pack under NDA.
Why Most Automation Fails Compliance Audits
Generic tools like Zapier and Make.com don't understand healthcare or financial regulations. One misconfigured workflow = massive fines and reputation damage.
No Audit Trails
Can't prove who accessed what data, when changes were made, or why automated decisions happened.
Data Leakage Risks
PHI/PII flowing through third-party servers you don't control. One breach = $50K+ HIPAA fines per record.
No Access Controls
Everyone on your team can see everything. No role-based permissions, no minimum necessary access.
The controls we run today
These are operational right now — not aspirational. Detail and evidence live in the Trust Pack (available under NDA).
Encryption in transit and at rest
TLS 1.3 on all API connections. Customer data encrypted at rest by Supabase (AES-256, managed keys). Secrets held in Vercel + Supabase environment vaults — never in source.
- No customer data stored in plain text
- TLS 1.3 enforced on every external connection
- Subprocessor key management via Supabase + Vercel
Audit log on privileged actions
Every privileged action writes to audit_log with timestamp, user ID, and the change set. 18-month retention. Exportable for procurement review.
- Who accessed what data, when
- Automated alerts for suspicious activity
- Export logs for auditor review
Row-Level Security at the database
RLS at Postgres is the primary tenant boundary. One customer can never read another customer’s data — enforced by policy on every tenant-scoped table, not by application code alone.
- Owner / admin / staff role separation
- MFA via Google OAuth for staff (magic-link is passwordless)
- Platform-admin allowlist requires manual provisioning
Data residency and ownership
Customer data lives in Supabase US by default; EU residency is available on Enterprise. Customers own their data and can request export or deletion at any time.
- US Supabase by default, EU on Enterprise
- Subprocessor list published in the Trust Pack
- Customer-controlled deletion of leads + bookings
Where we are on each framework
We label every framework as certified, in progress, or conscious. No marketing-speak.
HIPAA
We do not currently sign BAAs with subprocessors (Supabase, Anthropic, OpenAI). For HIPAA-adjacent niches (dental, med spa, legal intake), Sophia’s niche prompts are PHI-minimized and the transcript pipeline scrubs PHI before storage. This is best-practice posture, not full HIPAA compliance. If a covered entity must execute a BAA to use Sophia, today they cannot — talk to us about the Q4 BAA-eligible track (Twilio HIPAA-eligible BAA is the first step).
PHI minimization in niche prompts
Sophia is tuned to refuse soliciting diagnoses, insurance IDs, treatment specifics
PHI scrubbing pipeline before storage
Dental, med spa, and legal intake transcripts pass through a redaction pass before write
Audit log on every privileged action
18-month retention; tamper-evident; exportable for review
SOC 2 Type II
Engaged with a SOC 2 auditor (Vanta as the GRC platform). Pre-attestation materials and current control mappings are available under NDA for procurement reviewers. Our subprocessors (Vercel, Supabase, Anthropic, OpenAI, Sentry, Stripe, Twilio) are SOC 2 Type II attested today; the gap closes when our own attestation lands.
Security controls operational today
TLS 1.3, encryption at rest, RLS on every tenant table, MFA on staff accounts
Availability monitoring + incident response
Sentry + uptime monitors; IR runbook in docs/production-runbook.md
Annual third-party pen test
Target Q3 2026 to coincide with the SOC 2 audit window. Results available under NDA.
Audit-Ready Documentation Included
We don't just build compliant systems—we document everything auditors need to see
System Architecture Docs
Data flow diagrams, network topology, security boundaries
Risk Assessments
Threat modeling, vulnerability analysis, mitigation plans
Policies & Procedures
Access control policies, incident response, data handling
Training Materials
Staff security training, acceptable use policies, quiz tracking
The questions enterprise reviewers actually ask
Pulled directly from the Trust Pack. No marketing gloss — what we say to procurement is what we say here.
Are you SOC 2 certified?
SOC 2 Type II in progress, target attestation Q3 2026. Pre-attestation materials available under NDA.
Can you sign our DPA?
Yes — for any customer with EU end-users.
Do you sign BAAs?
Not currently. On the Enterprise roadmap for Q4 2026.
Where is data stored?
Supabase US default; EU available on Enterprise.
RLS or app-layer scoping?
Row-Level Security at Postgres. App-layer is defense-in-depth, not the primary boundary.
Can we run a pen test against your stack?
Yes, under NDA + scope agreement. Mutual right reserved.
Talk to us before you sign
If your security review needs a specific clause, BAA path, or sub-processor list, route to us early. We’ll tell you what we have, what’s in progress, and where we can’t fit yet.