Compliance, plainly stated.
Where we are with each compliance regime, what evidence we can provide, and what is on the roadmap. Updated as our posture changes.
| Regime | Status | Evidence available |
|---|---|---|
| SOC 2 Type II | In observation | CAIQ Lite, SIG Lite (under NDA) |
| HIPAA | BAA available | BAA, control mapping, sub-processor list |
| GDPR | In effect | DPA with SCCs (2021) + UK Addendum |
| CCPA / CPRA | In effect | Self-serve access, deletion, GPC honored |
| ISO 27001 | Roadmap 2027 | Gap assessment underway |
| PCI DSS | Out of scope | Stripe handles all card data |
| FedRAMP / IRAP / StateRAMP | Not in scope | — |
SOC 2 Type II
We are in our SOC 2 Type II observation window. The Type II report attests to operating effectiveness of controls over the Security, Availability, and Confidentiality trust services criteria during the observation period — not just their design at a single point in time.
We are engaged with one of the major continuous-controls-monitoring auditors (Drata / Vanta / Secureframe family). We will name the audit firm publicly here once the engagement letter is fully executed; until then we provide the firm name in writing under NDA on request.
Expected Type II report delivery: Q1 2027. Until that report is in hand, we make available a pre-filled CAIQ Lite and SIG Lite to enterprise prospects under mutual NDA. Email trust@felarity.com with your procurement contact.
HIPAA
Felarity offers a Business Associate Agreement (BAA) on the Professional and Enterprise tiers. We do not sign BAAs on the free tier — the operating controls a BAA requires are not enabled on free accounts.
The HIPAA control surface inside Felarity includes:
- PHI-restricted workspace isolation — meetings flagged as containing PHI are pinned to a single tenant boundary; cross-workspace retrieval is disabled.
- Field-level encryption at rest using AES-128-CBC with HMAC-SHA-256 integrity over sensitive columns (transcripts, contradictions, speaker samples).
- Audit logging of every PHI access — read, export, share, deletion — retained for six years per §164.530(j).
- Right-of-amendment and right-of-access workflows surfaced in account Settings; covered-entity administrators can fulfill §164.524 and §164.526 requests without a support ticket.
- Breach notification within 60 days of discovery per §164.410, with the technical evidence package generated from our attestation chain.
- A current sub-processor list at /trust/subprocessors/ with 30-day advance notice of material changes.
To execute a BAA, request it at /trust/baa/. Standard turnaround is five business days. We will counter-sign your paper or sign ours.
GDPR
When you bring customer or employee content into Felarity, you are the data controller and Felarity is the data processor. Our Data Processing Addendum (DPA) reflects that allocation of responsibility.
The DPA incorporates the EU Standard Contractual Clauses (Commission Decision 2021/914) for transfers from the EEA to third countries, including the United States where our primary compute fleet sits. For transfers originating in the United Kingdom, we incorporate the UK International Data Transfer Addendum (Information Commissioner's Office Addendum to the EU SCCs).
We provide a Transfer Impact Assessment template, the supplementary measures we apply (encryption in transit and at rest, key segregation, transparency on government access requests), and our records of processing activity (Article 30) on request. Request the DPA at /trust/dpa/.
CCPA / CPRA
California residents have the right to know, access, delete, correct, and limit the use of their personal information under the California Consumer Privacy Act as amended by the California Privacy Rights Act.
In Felarity, access and deletion are self-serve. From account Settings, any user can export the full record of their activity (in JSON and CSV) and trigger account deletion. Deletion propagates to primary storage, backups, and the attestation chain index within 30 days; cryptographic hashes in the immutable Merkle chain are retained but contain no recoverable personal data.
We honor the Global Privacy Control (GPC) signal at the browser level as an opt-out request. We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use customer content to train shared models — see our Privacy Policy for the specific commitment.
ISO 27001
On the roadmap for 2027, following SOC 2 Type II delivery. We are running a gap assessment against ISO/IEC 27001:2022 and the corresponding Annex A controls in parallel with the SOC 2 observation window so the second audit can share evidence with the first.
PCI DSS
Out of scope. We never see, store, or process payment card data. Billing is handled by Stripe, a PCI Service Provider Level 1 — the highest validated level. Card numbers are tokenized in the browser via Stripe Elements and never traverse Felarity infrastructure. Our PCI scope is therefore SAQ-A and is satisfied by Stripe's attestation, which we can pass through to your auditor.
Government and sector-specific regimes
FedRAMP, IRAP (Australia), and StateRAMP are not yet in scope. Federal civilian, defense, and state government use cases are not supported today. We will publish a moderate-baseline path when a customer engagement justifies the build.
ITAR-controlled technical data must not be processed in Felarity as a matter of policy. Our compute fleet is United States-based but the platform is not export-controlled and is accessible to authorized users globally; processing ITAR-controlled material would be a violation of the Acceptable Use Policy and grounds for immediate suspension.
Request paperwork
DPA, BAA, MSA, SIG Lite, and CAIQ Lite are all available for procurement review under mutual NDA.
Verify our chain
Every saved session emits an 8-node SHA-256 Merkle attestation signed with Ed25519. Verify a hash against our public key, no Felarity account required.
Last updated: June 7, 2026