Trust · Compliance
Audited where it matters. Signable where it counts.
Compliance only matters if you can put it on paper. Below: the frameworks we operate under, the agreements we sign, and what to ask for in procurement.
Frameworks
Where we are, today.
SOC 2 Type II
Annual Type II report covering Security, Availability, and Confidentiality. Audit by an AICPA-registered firm. Report available under NDA on request.
ISO/IEC 27001
ISMS in scope; certification in progress. Statement of Applicability and gap-analysis available to enterprise prospects under NDA.
HIPAA
Platform configured for HIPAA workloads. We sign a Business Associate Agreement (BAA) covering ePHI processed on dedicated Instances.
GDPR / UK GDPR
Article 28 processor terms in our DPA, with EU Standard Contractual Clauses and the UK IDTA incorporated by reference for cross-border transfers.
CCPA / CPRA
We operate as a Service Provider for California residents' personal information. The DPA includes the CPRA processor commitments and applicable data-subject rights flow-through.
PCI DSS
We are not a card-data processor. The platform is generally used to reduce scope: cardholder data should not be stored on Instances. We support segmentation patterns that keep your CDE narrow.
Reports & artifacts
What you can ask for, and how.
| Property | Artifact | Available | How to get it |
|---|---|---|---|
| SOC 2 Type II report | Yes | Mutual NDA, then secure share | |
| Penetration-test summary | Yes (annual) | Mutual NDA, then secure share | |
| Vulnerability-scan summary | Yes (monthly) | Enterprise customers on request | |
| Subprocessor list | Yes | Public, on the DPA | |
| Data-flow diagrams | Yes | Mutual NDA, then secure share | |
| Business continuity / DR plan summary | Yes | Enterprise customers on request | |
| Information security policy | Yes (summary) | Mutual NDA, then secure share | |
| CAIQ v4 / SIG Lite responses | Yes | Procurement contact on request |
Signable agreements
The contracts you'll actually need.
Master Services Agreement (MSA)
Our standard cloud-services agreement. Linked below in full. Enterprise Agreements supersede it for commitments of six months or longer.
Learn moreData Processing Addendum (DPA)
GDPR Article 28 processor terms, SCCs / UK IDTA incorporated, CPRA Service Provider language, sub-processor list and notification obligations.
Learn moreBusiness Associate Agreement (BAA)
Required for HIPAA workloads. Signed at the entity level, not per-Reservation. Covers ePHI on dedicated Instances.
Learn moreMutual NDA
Standard mutual NDA available for procurement diligence. We can sign yours; we have one ready if you don't.
Learn moreAcceptable Use Policy (AUP)
Lives inside the MSA as Exhibit B. Defines what workloads are allowed and how violations are handled.
Learn moreService Level Agreement (SLA)
Lives inside the MSA as Exhibit A. Standard credits hour-for-hour; enhanced commitments on Enterprise Agreements.
Learn moreData residency
Where your workloads run.
We operate in dedicated regions in North America and Europe today. Customers may pin Reservations to a specific region; we will not move workloads or backups out of the chosen region without prior written consent. Cross-border transfers under the DPA rely on the EU SCCs (modules 2 and 3) and, where applicable, the UK IDTA. Our subprocessor list and the locations where each processes data are published in the DPA.
Ready to start procurement?
NDA, then SOC 2, then questionnaire — most teams clear diligence in a week.