Enterprise · Compliance

Compliance without
compromise.

AIRMY's compliance programme covers SOC 2 Type II, HIPAA, GDPR, ISO 27001, and more — with audit-ready documentation available on demand.

Download Compliance PackTalk to Compliance Team

SOC 2

Type II

Certified Jan 2026

ISO

27001:2022

Certified Oct 2025

HIPAA

Healthcare

BAA Available

GDPR

Data Privacy

DPA Included

/ Certifications

Our certification portfolio.

Independent, third-party audited programmes covering security, privacy, and regulatory compliance across our entire platform.

Certified

SOC 2 Type II

Our SOC 2 Type II report covers the Trust Service Criteria for Security, Availability, Confidentiality, and Processing Integrity. Audited annually by an independent CPA firm.

  • Scope: All production systems, API, agent runtime, data storage
  • Audit period: Jan 2025–Dec 2025
  • Next audit: Jan–Dec 2026
Request Report under NDA
Certified

ISO/IEC 27001:2022

Information Security Management System certified to the 2022 revision of the standard. Covers the design, development, and operation of the AIRMY platform.

  • Certification body: BSI Group
  • First certified: Oct 2025
  • Recertification: Oct 2028
View Certificate
BAA Available

HIPAA

AIRMY signs Business Associate Agreements with covered entities and business associates handling Protected Health Information (PHI). Our technical controls meet HIPAA Security Rule requirements.

  • BAA: Standard BAA included with Enterprise plan
  • Encryption: AES-256 at rest, TLS 1.3 in transit
Download Standard BAA
Compliant

GDPR

AIRMY acts as both a data controller (for account data) and data processor (for Customer Data). We provide Data Processing Addenda, SCCs, and UK IDTAs. EU and UK data residency options available.

  • DPA: Included with Enterprise plan
  • Transfers: SCC Module 2 (C→P)
  • DPO: dpo@airmy.dev
Download DPA
Level 2

CSA STAR Level 2

The Cloud Security Alliance STAR Level 2 programme provides third-party validation of our cloud security posture against the Cloud Controls Matrix (CCM).

  • Assessment: Annual
  • CCM version: v4.0
View STAR Registry
In Progress

FedRAMP Moderate

AIRMY is pursuing FedRAMP Moderate authorization to serve U.S. federal government agencies. Currently in the Readiness Assessment phase.

  • Target authorization: Q4 2026
  • Sponsor agency: In discussion
Join Early Access

/ Built-in Compliance Tools

Compliance, built into the platform.

Not bolt-on. Every enterprise plan includes the tooling your security and legal teams need from day one.

1-Click Compliance Reports

Audit-ready PDF reports for SOC 2, HIPAA, and GDPR generated instantly from your dashboard. Covers your specific usage period — no back-and-forth required.

Immutable Audit Logs

Every agent call, API request, and access event logged permanently. Tamper-evident, queryable, and exportable to your SIEM within seconds.

Policy Engine

Define and enforce data handling policies at the agent level. Restrict which agents can access which data categories, enforced at runtime — not just logged after the fact.

/ Data Processing

Where your data lives.

AIRMY operates in two roles under GDPR and equivalent privacy laws. As a data controller, we process your account and billing data to provide the service. As a data processor, we process your Customer Data — the content, inputs, and outputs of your agents — strictly on your behalf and under your instructions.

Our Data Processing Addendum (DPA), available to all Enterprise customers, sets out the full terms of data processing: lawful basis, data subject rights, sub-processors, and technical and organisational measures. The DPA incorporates EU Standard Contractual Clauses (Module 2, controller-to-processor) and UK International Data Transfer Addenda (IDTA).

We publish our full sub-processor list and provide 30 days advance notice of any changes. Customers may object to new sub-processors under the DPA terms.

Download DPA

Data residency overview

Data CategoryWhere ProcessedRetentionYour Control
Account dataUS-West / EU-WestLife of accountDelete on request
Customer DataYour chosen regionYour policyFull control
Audit logsYour region + SIEMUp to 7 yearsSIEM export
Billing dataUS only (Stripe)7 years (tax law)Download PDF

/ Get Compliance Documentation

All documents, on demand.

Processed by our compliance team within 2 business days.

SOC 2 Type II Report

Full audit report under mutual NDA. Sent within 2 business days of signed NDA.

Request Report

ISO 27001 Certificate

Public certificate available immediately. No NDA required.

Download Now

Standard DPA

GDPR/UK GDPR Data Processing Addendum with SCCs and IDTA annexed.

Download DPA

HIPAA BAA

Business Associate Agreement for healthcare customers handling PHI.

Request BAA

All documentation requests are processed by our compliance team within 2 business days.
For custom compliance requirements, contact compliance@airmy.dev

Ready to satisfy your security review?

Our compliance team works directly with your security, legal, and procurement teams.

Talk to our compliance team