Our Compliance Commitments
We practice what we preach — an agent-based defensibility platform, workflow-grounded, built by compliance experts who hold ourselves to the same standards we help our customers achieve.
Certifications & Standards
We're committed to earning and maintaining industry-leading certifications that demonstrate our commitment to security, privacy, and operational excellence.
SOC 2 Type 2
In ProgressComprehensive security and operational controls audit covering system availability, processing integrity, confidentiality, and privacy.
Expected Completion: Q3 2026
Our systems are being audited against the AICPA TSC framework to demonstrate effective controls over critical security domains.
GDPR
CompliantFull compliance with EU General Data Protection Regulation for processing personal data of EU residents.
Status: Active compliance
We maintain DPA (Data Processing Agreement) available for customers. Lawful basis documented for all processing activities.
HIPAA
ReadyHealth Insurance Portability and Accountability Act compliance for healthcare data protection and integrity.
Status: Ready for healthcare use
BAA (Business Associate Agreement) available for healthcare customers. Encryption and audit controls are in place.
ISO 27001
PlannedInternational standard for information security management systems covering all aspects of information security.
Timeline: Q4 2026
We're preparing our certification pursuit to formalize our comprehensive information security management practices.
CCPA/CPRA
CompliantCalifornia Consumer Privacy Act and California Privacy Rights Act compliance for California resident data.
Status: Active compliance
We honor all California privacy rights including access, deletion, opt-out, and data portability requests within statutory timelines.
Data Processing & Locations
Transparency about where and how your data is processed is foundational to our compliance philosophy.
Primary Infrastructure
All customer data is processed exclusively in Google Cloud Platform (GCP) US regions, ensuring data residency compliance for US and international customers.
Sub-Processors
We maintain a documented list of sub-processors available to customers. Changes to sub-processors come with advance notice and opt-out rights.
Data Processing Agreements
Standard DPA available for all customers. We commit to standard contractual clauses (SCCs) for international data transfers.
Encryption & Security
Data in transit uses TLS 1.2+, and sensitive data at rest is encrypted with AES-256. Encryption keys are managed separately from data.
Our Compliance Philosophy
Why we take compliance seriously — because we built a defensibility platform.
We practice what we preach. We built acipta.ai to help organizations navigate complex regulatory landscapes, which means we must hold ourselves to the same exacting standards we help our customers achieve.
Our 117 specialized AI agents (at Full GA August 23, 2026) continuously monitor multiple frameworks across our organization. We use acipta's own agent-based defensibility platform to track our regulatory obligations, identify gaps, and maintain audit readiness. This isn't just good business — it's how we ensure our product actually solves the problems we claim to solve.
When our customers implement acipta to manage their compliance requirements, they're partnering with a vendor who has walked in their shoes. We understand the operational burden of compliance, the cost of non-compliance, and the confidence that comes from working with a team that lives compliance daily.
Regulatory Monitoring & Updates
The compliance landscape evolves constantly. Here's how we stay current and ahead of regulatory change.
Continuous Monitoring
We use our own audit-defensibility agents to monitor regulatory updates across frameworks and geographies relevant to our business and customers.
Expert Review
Regulatory changes are reviewed by our compliance team and external counsel to assess impact and required actions.
Proactive Updates
Policy and procedure updates are implemented prospectively to maintain compliance well ahead of deadline cutoffs.
Customer Communication
We communicate compliance updates to customers through our security and compliance blog, and direct notification for material changes.
What You Can Expect From Us
Our commitments to you as a compliance partner.
Annual Audits
We undergo independent security and compliance audits annually to verify the effectiveness of our controls and our compliance posture.
Transparent Reporting
Summary reports of our compliance status and certifications are available to customers upon request without NDA requirements.
72-Hour Breach Notification
In the unlikely event of a security breach affecting customer data, we commit to notification within 72 hours with clear details and remediation steps.
Data Protection by Design
Data protection and compliance are built into our platform architecture, not added afterward. Every feature is reviewed for compliance implications.
Documentation Available on Request
We provide comprehensive documentation to support your compliance and procurement teams.
SOC 2 Report
Our SOC 2 Type 2 attestation report (August 30, 2026) demonstrating design of security controls across security domains.
Available Q3 2026
Data Processing Agreement (DPA)
Standard contractual terms for personal data processing, including GDPR compliance language.
Available now
Business Associate Agreement (BAA)
HIPAA-compliant agreement for healthcare data processing and storage.
Available now
Sub-Processor List
Complete list of our sub-processors with data processing purposes and locations.
Available now
Security Whitepaper
Detailed documentation of our security architecture, encryption methods, and control implementation.
Available now
Privacy Policy
Complete privacy policy detailing how we collect, use, and protect customer and user data.
Available now
Need Compliance Documentation?
Our compliance team is ready to support your audit, procurement, or vendor assessment process.
Contact Compliance TeamGo deeper
HIPAA compliance platform
Per-§164 PHI evidence, BAA available, 6-year retention.
EU AI Act compliance
GPAI + Annex III evidence, per article.