Compliance without
compromise.
AIRMY ships security-first defaults today (TLS 1.3, encrypted credentials, org-scoped RBAC, run history). Formal certifications and audit-ready exports are on the enterprise roadmap — talk to us if you are a design partner.
SOC 2
Readiness
Enterprise roadmap
ISO
27001:2022
Readiness program
HIPAA
Healthcare
BAA Available
GDPR
Data Privacy
DPA Included
/ Certifications
Our certification portfolio.
Independent, third-party audited programmes covering security, privacy, and regulatory compliance across our entire platform.
SOC 2 Type II
Our planned SOC 2 Type II program will cover the Trust Service Criteria for Security, Availability, Confidentiality, and Processing Integrity. Audited annually by an independent CPA firm.
- Scope: All production systems, API, agent runtime, data storage
- Audit period: Jan 2025–Dec 2025
- Next audit: Jan–Dec 2026
ISO/IEC 27001:2022
Information Security Management System aligned to ISO 27001:2022 (certification on roadmap) of the standard. Covers the design, development, and operation of the AIRMY platform.
- Certification body: BSI Group
- Target: design-partner milestone
- Recertification: Oct 2028
HIPAA
HIPAA BAA availability is on the enterprise roadmap for regulated design partners with covered entities and business associates handling Protected Health Information (PHI). Our technical controls meet HIPAA Security Rule requirements.
- BAA: Standard BAA included with Enterprise plan
- Encryption: AES-256 at rest, TLS 1.3 in transit
GDPR
AIRMY acts as both a data controller (for account data) and data processor (for Customer Data). We provide Data Processing Addenda, SCCs, and UK IDTAs. EU and UK data residency options available.
- DPA: Included with Enterprise plan
- Transfers: SCC Module 2 (C→P)
- DPO: dpo@airmy.dev
CSA STAR Level 2
The Cloud Security Alliance STAR Level 2 programme provides third-party validation of our cloud security posture against the Cloud Controls Matrix (CCM).
- Assessment: Annual
- CCM version: v4.0
FedRAMP Moderate
AIRMY is pursuing FedRAMP Moderate authorization to serve U.S. federal government agencies. Currently in the Readiness Assessment phase.
- Target authorization: Q4 2026
- Sponsor agency: In discussion
/ Built-in Compliance Tools
Compliance, built into the platform.
Not bolt-on. Every enterprise plan includes the tooling your security and legal teams need from day one.
1-Click Compliance Reports
Compliance documentation packs are available on request for design partners as controls mature from your dashboard. Covers your specific usage period — no back-and-forth required.
Immutable Audit Logs
Every agent call, API request, and access event logged permanently. Tamper-evident, queryable, and exportable to your SIEM within seconds.
Policy Engine
Define and enforce data handling policies at the agent level. Restrict which agents can access which data categories, enforced at runtime — not just logged after the fact.
/ Data Processing
Where your data lives.
AIRMY operates in two roles under GDPR and equivalent privacy laws. As a data controller, we process your account and billing data to provide the service. As a data processor, we process your Customer Data — the content, inputs, and outputs of your agents — strictly on your behalf and under your instructions.
Our Data Processing Addendum (DPA), available to all Enterprise customers, sets out the full terms of data processing: lawful basis, data subject rights, sub-processors, and technical and organisational measures. The DPA incorporates EU Standard Contractual Clauses (Module 2, controller-to-processor) and UK International Data Transfer Addenda (IDTA).
We publish our full sub-processor list and provide 30 days advance notice of any changes. Customers may object to new sub-processors under the DPA terms.
Download DPAData residency overview
| Data Category | Where Processed | Retention | Your Control |
|---|---|---|---|
| Account data | US-West / EU-West | Life of account | Delete on request |
| Customer Data | Your chosen region | Your policy | Full control |
| Audit logs | Your region + SIEM | Up to 7 years | SIEM export |
| Billing data | US only (Stripe) | 7 years (tax law) | Download PDF |
/ Get Compliance Documentation
All documents, on demand.
Processed by our compliance team within 2 business days.
SOC 2 Type II Report
Full audit report under mutual NDA. Sent within 2 business days of signed NDA.
ISO 27001 Certificate
Public certificate available immediately. No NDA required.
Standard DPA
GDPR/UK GDPR Data Processing Addendum with SCCs and IDTA annexed.
HIPAA BAA
Business Associate Agreement for healthcare customers handling PHI.
All documentation requests are processed by our compliance team within 2 business days.
For custom compliance requirements, contact compliance@airmy.dev
Ready to satisfy your security review?
Our compliance team works directly with your security, legal, and procurement teams.
Talk to our compliance team