Compliance
GDPR, SOC 2, ISO 27001, HIPAA — current posture and roadmap.
Compliance
GDPR-aligned today. SOC 2 and ISO 27001 are on the roadmap. HIPAA is out of scope.
The 30-second version
AtelyaOS implements GDPR-aligned controls today: data subject access requests, deletion via DSAR, data residency selection, and TLS + at-rest encryption. SOC 2 Type II and ISO 27001 are on the roadmap (target Q3 2026). HIPAA is not a supported posture. For Enterprise customers with stricter compliance needs, talk to sales.
Why this matters
Procurement teams ask three compliance questions before letting an AI tool touch client data: GDPR posture, SOC 2 status, and ISO 27001 status. This page is the single source of truth so you don't have to ask. The answers below describe what's implemented today; treat anything else (sales decks, marketing pages, third-party reviews) as advisory.
How it works
GDPR
Status: implemented controls. AtelyaOS supports the operational pieces of GDPR compliance:
- Data residency — workspace can be tagged to EU (Frankfurt). Today this is logical separation; physical separation is on the Phase 2 roadmap.
- Data subject access requests (DSAR) — supported via Settings → Data residency → Data subject requests. Types: access, portability, deletion, rectification.
- Right to erasure — DSAR deletion type pseudonymises the user record and clears workspace data per the runbook.
- Encryption — TLS in transit; libsodium
secretboxfor sensitive fields at rest. See encryption. - Audit trail — every meaningful action is recorded in
audit_log. - Data Processing Agreement (DPA) — available on request for paid tiers. Contact sales.
GDPR is a posture, not a certification. Implementation alignment is not the same as a third-party audit. If you need a formal DPA, request it before signing.
SOC 2
Status: roadmap (Q3 2026 target). AtelyaOS is not yet SOC 2 Type II certified. The compliance program is being built toward that target; some of the underlying controls (audit logging, encryption, access management, change management via PR review) are already in place.
For Enterprise contracts that require SOC 2 today, we can:
- Share security questionnaires.
- Provide our control-by-control status against the AICPA Trust Services Criteria.
- Discuss specific gaps and timelines.
Contact sales if you have a procurement deadline driven by SOC 2.
ISO 27001
Status: roadmap. Same posture as SOC 2 — many underlying controls are in place; formal certification is on the long-term roadmap. EU customers concerned with ISO 27001 should also note that we run on Supabase, which itself maintains relevant certifications for its infrastructure layer. The application layer is not separately certified yet.
HIPAA
Status: not applicable / out of scope. AtelyaOS is built for marketing-agency proposals and recaps. We do not currently support PHI (Protected Health Information) workflows and do not sign Business Associate Agreements. If your work touches PHI, AtelyaOS is not a fit today.
Sharia-mode content filter
A separate, optional Sharia mode content filter is available on Enterprise contracts. It does not issue Sharia certifications — it provides a configurable content filter and audit trail for workspaces that need to enforce a defined content policy. Talk to sales for setup.
Compliance-flavoured plan flags
Some plan flags relate to compliance-shaped features:
can_use_data_residency— Agency / Enterprise. Lets you change region.can_use_compliance_reports— Agency / Enterprise. Roadmap; exposes compliance reporting in the app.can_use_audit_log— All paid tiers (and Free).can_use_audit_dashboard— Pro and above.can_use_sharia_mode— Enterprise.
The flags are enforced at the API layer; they're not just marketing copy. The reports themselves vary in completeness — can_use_compliance_reports is tier-gated but the report generator is still on the roadmap for some report types.
What we share publicly
- This documentation page.
- Our security overview on the marketing site (overview-level).
What we share under NDA
- Detailed control mapping (SOC 2, ISO 27001).
- Subprocessor list with regions.
- Incident response runbook summary.
- DPA and BAA-equivalent paperwork.
Request these via your sales contact.
Common pitfalls
- Assuming SOC 2 because of the marketing copy. Some marketing pages historically described SOC 2 as a feature. The accurate status is roadmap.
- Assuming HIPAA support. We don't support PHI today. If your client work involves it, AtelyaOS is not the right tool yet.
- Skipping the DPA. If you operate in the EU or process EU-resident data, request a DPA before going live with paid usage.
- Treating data residency as physical isolation. Today it's logical. For physical isolation, talk to sales.
What's next
- Data handling — DSAR flow and audit log.
- Encryption — algorithm details.
- No training on data — LLM provider terms.