Compliance FAQ

containment.ai does not currently hold formal compliance certifications. We are actively pursuing SOC 2 Type II, ISO 27001, and FedRAMP, and our platform is designed from the ground up to map to HIPAA, GDPR, CCPA, FINRA, and PCI-DSS requirements. We are building to these standards now, with formal certification audits on our 2026 roadmap. We are also aligned with AARM (Autonomous Action Runtime Management) v1.0 — the Cloud Security Alliance specification governing autonomous AI agent action runtime.

We conduct continuous vulnerability scanning today. As we complete our certification roadmap, we will establish independent audit and penetration-testing cycles for SOC 2 Type II and ISO 27001, along with continuous monitoring for FedRAMP.

Yes, containment.ai is designed to be GDPR compliant. We provide data processing agreements (DPAs), support data subject access requests (DSARs), implement privacy by design, offer data residency options in the EU, and maintain comprehensive data protection impact assessments (DPIAs).

We offer deployment options in multiple regions including US, EU, UK, and Canada. Enterprise customers can specify data residency requirements, and we ensure all data remains within the specified geographic boundaries. On-premises and air-gapped deployment are on our Enterprise roadmap and not yet generally available.

No, never. Customer data is never used to train AI models - yours or anyone else's. Your prompts, responses, and policies remain completely private and are only used to enforce your governance rules and generate audit logs.

containment.ai is designed to support HIPAA technical safeguards including encryption, access controls, audit logging, and breach notification procedures, and we expect to offer Business Associate Agreements (BAAs) to Enterprise customers. We are not yet independently HIPAA-attested; HIPAA is on our compliance roadmap.

Our planned BAA is designed to cover HIPAA requirements including permitted uses and disclosures of PHI, safeguards implementation, breach notification procedures, subcontractor management, and termination provisions. BAA availability is part of our HIPAA roadmap; contact us to discuss your covered-entity requirements.

containment.ai is designed for financial-services data-handling requirements, mapping policy enforcement, audit trails, and data-retention controls to obligations relevant to FINRA, SEC, and GLBA. We do not yet claim formal attestation for these regimes.

PCI-DSS assessment is on our compliance roadmap; containment.ai is not yet PCI-DSS assessed. We do not store cardholder data as part of normal operation, and our platform is designed to help you maintain PCI controls when payment card data passes through AI systems.

containment.ai does not currently hold FedRAMP authorization. FedRAMP is on our compliance roadmap, and our underlying cross-domain technology is designed against NSA cross-domain standards. See the roadmap below.

On-premises and air-gapped deployment are on our Enterprise roadmap and not yet generally available. Planned capabilities include on-premises installation, local policy engines, and offline audit log storage for classified environments, defense contractors, and highly regulated industries. Contact us to discuss high-assurance deployment requirements.

All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Encryption keys are managed using hardware security modules (HSMs) with automatic key rotation. We support customer-managed encryption keys (CMEK) for Enterprise customers.

We support SSO via SAML 2.0, OAuth 2.0, and OpenID Connect. Multi-factor authentication (MFA) is required for all users. We also support hardware security keys (FIDO2/WebAuthn) and can integrate with your existing identity provider (Okta, Azure AD, Google Workspace, etc.).

We have a formal incident response plan with continuous monitoring. In the event of a security incident, we follow our breach notification procedures including timely customer notification, root cause analysis, and remediation. All incidents are documented and reported to relevant authorities as required.

We collect only the data necessary to operate the service: AI prompts and responses (for policy enforcement), policy configurations, audit logs, user authentication data, and usage metrics. We do not collect unnecessary personal information and provide data minimization controls.

Default retention is 90 days for audit logs and 30 days for AI interaction data. Enterprise customers can configure custom retention policies from 7 days to 7 years. You can export data at any time and request deletion on demand.

Yes, you can delete your data at any time through the platform or by contacting our support team. We provide self-service data deletion tools and will confirm deletion within 30 days. For GDPR compliance, we support the "right to be forgotten" and will delete all personal data upon request.

Yes, we use a limited number of carefully vetted subprocessors for infrastructure (AWS, Google Cloud), monitoring (Datadog), and support (Zendesk). All subprocessors are bound by data processing agreements and undergo security assessments. We maintain a public subprocessor list and provide 30 days notice of changes.

All subprocessors undergo rigorous security assessments including SOC 2 audit review, security questionnaire completion, contract review for data protection clauses, and ongoing monitoring. We only work with subprocessors that meet our security and compliance standards.

Yes, we provide security white papers, penetration-test summaries (as available), and our compliance roadmap to customers and prospects under NDA. SOC 2 Type II is in progress. Contact our security team at security@containment.ai to request documentation.