Compliance posture

What we’re compliant with — and what we’re not.

Honest table of our current status across 9frameworks. We never claim a certification we don’t hold. "In progress" means there’s a real audit window. "Attestable" means we follow the controls but there’s no formal certification we can hand you a PDF for.

2 compliant4 in progress1 attestable2 out of scope

What each status means

Compliant: We follow the framework and can stand behind that claim today.
In progress: We are actively pursuing certification; target date listed.
Attestable: No formal certification exists, but we attest to the controls. Documentation available on request.
Out of scope: The framework does not apply to our service or scope.

SOC 2 Type II

In progress

Audit window Q4 2026. Working with Vanta on evidence collection, change control, vendor risk, and incident response.

Target:Q1 2027 (audit window Q4 2026)

We do not claim certification until we receive the report. Enterprise prospects can request the under-NDA Type I bridge letter.

Roadmap status →

GDPR (Art. 28 Processor)

GDPR

Compliant

DPA template available with the sub-processor list embedded inline. Standard Contractual Clauses (Module 2) for EEA transfers. A standalone sub-processor page and EU-only data residency are both on the roadmap.

Data Processing Agreement →

HIPAA

In progress

Encryption in transit (TLS 1.2+) + at rest (Supabase). Audit log with actor_is_agent. EU/US data segregation. BAA template draft is in progress; a HIPAA-friendly mode + BAA-signing path will ship with the Enterprise tier (which is planned). HIPAA has no formal certification, only attestation.

No signed healthcare design partner yet (per /factory/customers — slots open). BAA-signing readiness ties to the Enterprise tier and is on the roadmap.

Security posture →

CCPA / CPRA

CCPA

Compliant

Right to know, right to delete, right to opt out of sale (we never sell). 12-month look-back honored. DSAR workflow in /admin per user.

ISO 27001

ISO27001

In progress

Following ISO 27001 controls as part of SOC 2 prep — same evidence collection and process work covers both. Formal ISO certification will follow SOC 2 if Enterprise demand justifies the audit cost.

Target:Q2 2027 if demand warrants

A SOC 2 report is generally accepted in lieu of ISO 27001 for US enterprise procurement. EU and APAC buyers may require ISO; tell sales.

EU AI Act

In progress

Working through the EU AI Act readiness checklist: per-use-case risk classification (drafting), Article 14 human-oversight assertions for high-risk paths (drafting), transparency disclosures to data subjects when factory output is user-facing (planned). No code in lib/factory/ implements EU AI Act controls yet.

EU AI Act came into force Feb 2025; full enforcement Aug 2026. We are not yet conformant; readiness work is in progress and no certification is claimed.

PCI-DSS

PCI

Out of scope

We do not process, store, or transmit card data. Stripe handles all payment processing — Stripe is PCI-DSS Level 1 certified. If your generated app processes cards, you inherit that responsibility.

If you need to generate apps that process cards directly (not via Stripe), reach out to sales — we have a PCI-aware build template in private beta.

FedRAMP

Out of scope

We have no FedRAMP authorization. We do not currently serve US federal customers. If you have a USG mandate, talk to us — we can scope a private deployment but cannot offer FedRAMP-certified shared infrastructure.

Target:Not on roadmap

NIST AI Risk Management Framework

NIST AI RMF

Attestable

GOVERN / MAP / MEASURE / MANAGE practices documented internally. Bias and fairness monitors live for code-generation paths. Hash-chained audit log records model + prompt + output per build.

Security posture →

Need a security questionnaire response?

Email [email protected] with your questionnaire (CAIQ, SIG, custom). We aim to return within 5 business days. Enterprise prospects can also request our under-NDA SOC 2 progress report.

Send a questionnaire See engineering controls →Read the DPA