How we earn your trust.
Felarity processes some of the most sensitive conversations an organization has. This is the controls, the paperwork, and the cryptographic proof behind that responsibility.
Controls at a glance
Three layers do the work: what your data is wrapped in, who can reach it, and what we can prove after the fact. Each one is enforced by code, not policy.
Wrapped end to end
At rest: Fernet AES-128-CBC with HMAC-SHA256 authentication on every transcript, contradiction record, and audio chunk. Keys are workspace-scoped and rotated on a documented schedule.
In transit: TLS 1.3 only. HSTS preload. No mixed content. Internal service-to-service traffic is mutually authenticated.
Least privilege by default
Multi-factor authentication is required for every account. Single sign-on (Google Workspace, Microsoft Entra, Okta SAML) is available on Professional and Enterprise tiers.
Role-based workspace permissions separate viewers, analysts, and admins. Sessions expire. Tokens are revocable from the admin console.
Cryptographic, not aspirational
Every meeting closes with an 8-node SHA-256 Merkle attestation chain, signed with our Ed25519 organizational key. The result is a write-once, hash-linked ledger of what the system saw and what it concluded.
Any third party can verify a report against our published public key. We cannot rewrite history without it being mathematically obvious.
Compliance status
We publish where we are, not where we want to be. The status pills below are honest about what is in production, what is in observation, and what is on the roadmap.
| Framework | Status | Notes |
|---|---|---|
| SOC 2 Type II | In observation | Observation window opened with a Big Four-affiliated auditor. Final report expected Q1 2027. Bridge letter and current controls matrix available under NDA. |
| HIPAA BAA | Available on request | Business Associate Agreement available for Professional and Enterprise customers handling Protected Health Information. Request through /trust/baa/. |
| GDPR | Data processor | We act as the data processor on behalf of customer-controllers. Standard Contractual Clauses are incorporated by reference in our DPA. EU customer data is hosted in EU regions. |
| CCPA / CPRA | Compliant | We honor verified consumer opt-out, access, and deletion requests within statutory windows. Workspace admins can self-serve deletion from the admin console. |
| ISO 27001 | Roadmap 2027 | Gap analysis complete. Stage 1 audit scheduled to follow SOC 2 Type II issuance. |
| Penetration testing | Scheduled | Annual third-party penetration test scheduled with a CREST-accredited firm. Executive summary shared on request post-engagement. |
The attestation chain
Every Felarity report is accompanied by an eight-node Merkle tree whose leaves are SHA-256 hashes of the source artifacts: the audio segments, the diarization output, the transcript, the contradiction set, the NLI re-scoring, the topology analysis, the council synthesis, and the speaker attribution. The root of that tree is signed with our Ed25519 organizational key.
The practical consequence: a report is verifiable by any third party with our published public key. A regulator, an opposing counsel, or your own internal audit team can confirm that what they are looking at is exactly what the pipeline produced, untouched, on the date claimed.
Subprocessors
We use a small, deliberate set of subprocessors for hosting, payments, and email. The full list — with purpose, location, and DPA links — is maintained on a dedicated page and is updated when the list changes. We give 30 days' notice before adding a new subprocessor that handles customer content.
Get the paperwork
Procurement, legal, and security review teams can pull the documents they need without a sales call.
Data Processing Addendum
Our DPA, including Standard Contractual Clauses for international transfers. Counter-signed copies returned within two business days.
Request DPABusiness Associate Agreement
HIPAA BAA for Professional and Enterprise customers processing PHI. Includes breach notification and minimum-necessary commitments.
Request BAASecurity overview
Architecture diagrams, control mappings, encryption details, and the current SOC 2 controls matrix under NDA.
Security detailsReport a vulnerability
We run a coordinated disclosure program for security researchers. Reports are acknowledged within two business days, triaged within five, and credited in our hall of fame when the reporter consents. We do not pursue legal action against researchers who follow the program in good faith.
Status
Real-time service status, incident history, and scheduled maintenance windows live on a separate status page that is operated independently of our primary infrastructure. We post initial acknowledgement of any user-facing incident within 15 minutes of detection.