Enterprise · Compliance

Compliance without
compromise.

AIRMY ships security-first defaults today (TLS 1.3, encrypted credentials, org-scoped RBAC, run history). Formal certifications and audit-ready exports are on the enterprise roadmap — talk to us if you are a design partner.

SOC 2

Readiness

Enterprise roadmap

ISO

27001:2022

Readiness program

HIPAA

Healthcare

BAA Available

GDPR

Data Privacy

DPA Included

Our certification portfolio.

Independent, third-party audited programmes covering security, privacy, and regulatory compliance across our entire platform.

Roadmap

SOC 2 Type II

Our planned SOC 2 Type II program will cover the Trust Service Criteria for Security, Availability, Confidentiality, and Processing Integrity. Audited annually by an independent CPA firm.

  • Scope: All production systems, API, agent runtime, data storage
  • Audit period: Jan 2025–Dec 2025
  • Next audit: Jan–Dec 2026
Request Report under NDA
Roadmap

ISO/IEC 27001:2022

Information Security Management System aligned to ISO 27001:2022 (certification on roadmap) of the standard. Covers the design, development, and operation of the AIRMY platform.

  • Certification body: BSI Group
  • Target: design-partner milestone
  • Recertification: Oct 2028
View Certificate
BAA Available

HIPAA

HIPAA BAA availability is on the enterprise roadmap for regulated design partners with covered entities and business associates handling Protected Health Information (PHI). Our technical controls meet HIPAA Security Rule requirements.

  • BAA: Standard BAA included with Enterprise plan
  • Encryption: AES-256 at rest, TLS 1.3 in transit
Download Standard BAA
Compliant

GDPR

AIRMY acts as both a data controller (for account data) and data processor (for Customer Data). We provide Data Processing Addenda, SCCs, and UK IDTAs. EU and UK data residency options available.

  • DPA: Included with Enterprise plan
  • Transfers: SCC Module 2 (C→P)
  • DPO: dpo@airmy.dev
Download DPA
Level 2

CSA STAR Level 2

The Cloud Security Alliance STAR Level 2 programme provides third-party validation of our cloud security posture against the Cloud Controls Matrix (CCM).

  • Assessment: Annual
  • CCM version: v4.0
View STAR Registry
In Progress

FedRAMP Moderate

AIRMY is pursuing FedRAMP Moderate authorization to serve U.S. federal government agencies. Currently in the Readiness Assessment phase.

  • Target authorization: Q4 2026
  • Sponsor agency: In discussion
Join Early Access

Compliance, built into the platform.

Not bolt-on. Every enterprise plan includes the tooling your security and legal teams need from day one.

1-Click Compliance Reports

Compliance documentation packs are available on request for design partners as controls mature from your dashboard. Covers your specific usage period — no back-and-forth required.

Immutable Audit Logs

Every agent call, API request, and access event logged permanently. Tamper-evident, queryable, and exportable to your SIEM within seconds.

Policy Engine

Define and enforce data handling policies at the agent level. Restrict which agents can access which data categories, enforced at runtime — not just logged after the fact.

Where your data lives.

AIRMY operates in two roles under GDPR and equivalent privacy laws. As a data controller, we process your account and billing data to provide the service. As a data processor, we process your Customer Data — the content, inputs, and outputs of your agents — strictly on your behalf and under your instructions.

Our Data Processing Addendum (DPA), available to all Enterprise customers, sets out the full terms of data processing: lawful basis, data subject rights, sub-processors, and technical and organisational measures. The DPA incorporates EU Standard Contractual Clauses (Module 2, controller-to-processor) and UK International Data Transfer Addenda (IDTA).

We publish our full sub-processor list and provide 30 days advance notice of any changes. Customers may object to new sub-processors under the DPA terms.

Download DPA

Data residency overview

Data CategoryWhere ProcessedRetentionYour Control
Account dataUS-West / EU-WestLife of accountDelete on request
Customer DataYour chosen regionYour policyFull control
Audit logsYour region + SIEMUp to 7 yearsSIEM export
Billing dataUS only (Stripe)7 years (tax law)Download PDF

All documents, on demand.

Processed by our compliance team within 2 business days.

SOC 2 Type II Report

Full audit report under mutual NDA. Sent within 2 business days of signed NDA.

Request Report

ISO 27001 Certificate

Public certificate available immediately. No NDA required.

Contact sales

Standard DPA

GDPR/UK GDPR Data Processing Addendum with SCCs and IDTA annexed.

Request DPA

HIPAA BAA

Business Associate Agreement for healthcare customers handling PHI.

Request BAA

All documentation requests are processed by our compliance team within 2 business days.
For custom compliance requirements, contact compliance@airmy.dev

Ready to satisfy your security review?

Our compliance team works directly with your security, legal, and procurement teams.

Talk to our compliance team