Skip to content

Early Access opens July 12 · $99/mo · all suites during the launch window · price locked through Q1 2027 · Join the waitlist →

Our Compliance Commitments

We practice what we preach — an agent-based defensibility platform, workflow-grounded, built by compliance experts who hold ourselves to the same standards we help our customers achieve.

Certifications & Standards

We're committed to earning and maintaining industry-leading certifications that demonstrate our commitment to security, privacy, and operational excellence.

SOC 2 Type 2

In Progress

Comprehensive security and operational controls audit covering system availability, processing integrity, confidentiality, and privacy.

Expected Completion: Q3 2026

Our systems are being audited against the AICPA TSC framework to demonstrate effective controls over critical security domains.

GDPR

Compliant

Full compliance with EU General Data Protection Regulation for processing personal data of EU residents.

Status: Active compliance

We maintain DPA (Data Processing Agreement) available for customers. Lawful basis documented for all processing activities.

HIPAA

Ready

Health Insurance Portability and Accountability Act compliance for healthcare data protection and integrity.

Status: Ready for healthcare use

BAA (Business Associate Agreement) available for healthcare customers. Encryption and audit controls are in place.

ISO 27001

Planned

International standard for information security management systems covering all aspects of information security.

Timeline: Q4 2026

We're preparing our certification pursuit to formalize our comprehensive information security management practices.

CCPA/CPRA

Compliant

California Consumer Privacy Act and California Privacy Rights Act compliance for California resident data.

Status: Active compliance

We honor all California privacy rights including access, deletion, opt-out, and data portability requests within statutory timelines.

Data Processing & Locations

Transparency about where and how your data is processed is foundational to our compliance philosophy.

Primary Infrastructure

All customer data is processed exclusively in Google Cloud Platform (GCP) US regions, ensuring data residency compliance for US and international customers.

Sub-Processors

We maintain a documented list of sub-processors available to customers. Changes to sub-processors come with advance notice and opt-out rights.

Data Processing Agreements

Standard DPA available for all customers. We commit to standard contractual clauses (SCCs) for international data transfers.

Encryption & Security

Data in transit uses TLS 1.2+, and sensitive data at rest is encrypted with AES-256. Encryption keys are managed separately from data.

Our Compliance Philosophy

Why we take compliance seriously — because we built a defensibility platform.

We practice what we preach. We built acipta.ai to help organizations navigate complex regulatory landscapes, which means we must hold ourselves to the same exacting standards we help our customers achieve.

Our 117 specialized AI agents (at Full GA August 23, 2026) continuously monitor multiple frameworks across our organization. We use acipta's own agent-based defensibility platform to track our regulatory obligations, identify gaps, and maintain audit readiness. This isn't just good business — it's how we ensure our product actually solves the problems we claim to solve.

When our customers implement acipta to manage their compliance requirements, they're partnering with a vendor who has walked in their shoes. We understand the operational burden of compliance, the cost of non-compliance, and the confidence that comes from working with a team that lives compliance daily.

Regulatory Monitoring & Updates

The compliance landscape evolves constantly. Here's how we stay current and ahead of regulatory change.

Continuous Monitoring

We use our own audit-defensibility agents to monitor regulatory updates across frameworks and geographies relevant to our business and customers.

Expert Review

Regulatory changes are reviewed by our compliance team and external counsel to assess impact and required actions.

Proactive Updates

Policy and procedure updates are implemented prospectively to maintain compliance well ahead of deadline cutoffs.

Customer Communication

We communicate compliance updates to customers through our security and compliance blog, and direct notification for material changes.

What You Can Expect From Us

Our commitments to you as a compliance partner.

Annual Audits

We undergo independent security and compliance audits annually to verify the effectiveness of our controls and our compliance posture.

Transparent Reporting

Summary reports of our compliance status and certifications are available to customers upon request without NDA requirements.

72-Hour Breach Notification

In the unlikely event of a security breach affecting customer data, we commit to notification within 72 hours with clear details and remediation steps.

Data Protection by Design

Data protection and compliance are built into our platform architecture, not added afterward. Every feature is reviewed for compliance implications.

Documentation Available on Request

We provide comprehensive documentation to support your compliance and procurement teams.

SOC 2 Report

Our SOC 2 Type 2 attestation report (August 30, 2026) demonstrating design of security controls across security domains.

Available Q3 2026

Data Processing Agreement (DPA)

Standard contractual terms for personal data processing, including GDPR compliance language.

Available now

Business Associate Agreement (BAA)

HIPAA-compliant agreement for healthcare data processing and storage.

Available now

Sub-Processor List

Complete list of our sub-processors with data processing purposes and locations.

Available now

Security Whitepaper

Detailed documentation of our security architecture, encryption methods, and control implementation.

Available now

Privacy Policy

Complete privacy policy detailing how we collect, use, and protect customer and user data.

Available now

Need Compliance Documentation?

Our compliance team is ready to support your audit, procurement, or vendor assessment process.

Contact Compliance Team
Related guides

Go deeper

HIPAA compliance platform

Per-§164 PHI evidence, BAA available, 6-year retention.

EU AI Act compliance

GPAI + Annex III evidence, per article.