Compliance FAQ

containment.ai maintains SOC 2 Type II certification, ISO 27001 certification, and FedRAMP authorization. We are also HIPAA, GDPR, CCPA, FINRA, and PCI-DSS compliant. All certifications are independently audited and renewed annually.

We undergo annual SOC 2 Type II audits, quarterly penetration testing, and continuous vulnerability scanning. Our ISO 27001 certification is renewed annually, and FedRAMP requires continuous monitoring with annual assessments.

Yes, containment.ai is fully GDPR compliant. We provide data processing agreements (DPAs), support data subject access requests (DSARs), implement privacy by design, offer data residency options in the EU, and maintain comprehensive data protection impact assessments (DPIAs).

We offer deployment options in multiple regions including US, EU, UK, and Canada. Enterprise customers can specify data residency requirements, and we ensure all data remains within the specified geographic boundaries. For air-gapped environments, we offer on-premises deployment options.

No, never. Customer data is never used to train AI models—yours or anyone else's. Your prompts, responses, and policies remain completely private and are only used to enforce your governance rules and generate audit logs.

Yes, containment.ai is HIPAA compliant and will sign Business Associate Agreements (BAAs) with covered entities. Our platform includes all required technical safeguards including encryption, access controls, audit logging, and breach notification procedures.

Our BAA covers all HIPAA requirements including permitted uses and disclosures of PHI, safeguards implementation, breach notification procedures, subcontractor management, and termination provisions. We provide standard BAA templates and can accommodate custom requirements.

Yes, we meet requirements for FINRA, SEC, GLBA, and other financial services regulations. Our platform provides complete audit trails, data retention controls, and compliance reporting required by financial regulators. We work with major banks and investment firms.

Yes, containment.ai is PCI-DSS Level 1 compliant. We undergo annual assessments by a Qualified Security Assessor (QSA) and maintain compliance with all 12 PCI-DSS requirements. Our platform can help you maintain PCI compliance when processing payment card data through AI systems.

containment.ai holds FedRAMP Moderate authorization, suitable for federal agencies processing sensitive but unclassified information. We are working toward FedRAMP High authorization for agencies with more stringent security requirements.

Yes, our Enterprise plan includes support for air-gapped and offline deployments. We provide on-premises installation, local policy engines, and offline audit log storage. This is ideal for classified environments, defense contractors, and highly regulated industries.

All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Encryption keys are managed using hardware security modules (HSMs) with automatic key rotation. We support customer-managed encryption keys (CMEK) for Enterprise customers.

We support SSO via SAML 2.0, OAuth 2.0, and OpenID Connect. Multi-factor authentication (MFA) is required for all users. We also support hardware security keys (FIDO2/WebAuthn) and can integrate with your existing identity provider (Okta, Azure AD, Google Workspace, etc.).

We have a formal incident response plan with 24/7 security operations center (SOC) monitoring. In the event of a security incident, we follow our breach notification procedures including customer notification within 24 hours, root cause analysis, and remediation. All incidents are documented and reported to relevant authorities as required.

We collect only the data necessary to operate the service: AI prompts and responses (for policy enforcement), policy configurations, audit logs, user authentication data, and usage metrics. We do not collect unnecessary personal information and provide data minimization controls.

Default retention is 90 days for audit logs and 30 days for AI interaction data. Enterprise customers can configure custom retention policies from 7 days to 7 years. You can export data at any time and request deletion on demand.

Yes, you can delete your data at any time through the platform or by contacting our support team. We provide self-service data deletion tools and will confirm deletion within 30 days. For GDPR compliance, we support the "right to be forgotten" and will delete all personal data upon request.

Yes, we use a limited number of carefully vetted subprocessors for infrastructure (AWS, Google Cloud), monitoring (Datadog), and support (Zendesk). All subprocessors are bound by data processing agreements and undergo security assessments. We maintain a public subprocessor list and provide 30 days notice of changes.

All subprocessors undergo rigorous security assessments including SOC 2 audit review, security questionnaire completion, contract review for data protection clauses, and ongoing monitoring. We only work with subprocessors that meet our security and compliance standards.

Yes, we provide security white papers, SOC 2 reports, penetration test summaries, and compliance documentation to customers and prospects under NDA. Contact our security team at security@containment.ai to request documentation.