Security & Compliance

Security & Trust

Enterprise-grade security, transparency, and compliance — built in from day one.

Request DPA / BAA ← staffinity.io
AES-256
Encryption at rest
TLS 1.3
Encryption in transit
Per-Client
Data isolation
AWS ECS
Enterprise infrastructure
SOC 2
In observation period

Compliance & Certifications

Our current compliance posture and certifications in place.

CSA STAR Level 1 — Staffinity
CSA STAR — Level 1 Registered
CSA STAR for AI Level 1 — Staffinity
CSA STAR for AI — Level 1 Registered
🛡️
SOC 2 Type II In Progress

We are currently in our SOC 2 observation period. Type I audit is targeted for Q3 2026, with Type II certification planned for Q1 2027. Our controls are monitored continuously via automated compliance tooling.

🇪🇺
GDPR Compliant Compliant

Staffinity processes data in accordance with GDPR requirements. Data Processing Agreements (DPAs) are available for all clients. EU–US transfers use Standard Contractual Clauses (SCCs).

Request DPA
🔒
CCPA / CPRA Compliant Compliant

Staffinity complies with California Consumer Privacy Act requirements. We do not sell or share personal information. California residents may submit data requests to privacy@staffinity.io.

Your CA Rights
⚕️
HIPAA-Ready Architecture Available on Request

Staffinity offers a HIPAA-ready deployment option for healthcare clients, including PHI detection, circuit breaker controls, and Business Associate Agreements (BAAs) for covered entities and business associates.

Request BAA

Enterprise AWS Infrastructure

Built on AWS with enterprise-grade controls at every layer.

📍
Primary Region
us-east-2 (Ohio) — data residency in the United States
🔐
Encryption
AES-256 at rest via AWS KMS · TLS 1.3 in transit
📋
Logging & Detection
AWS CloudTrail audit logs · GuardDuty threat detection
Availability
Multi-task ECS Fargate · automated failover & health checks
💾
Backups
3-tier retention: daily, weekly, and monthly snapshots
🔍
Vulnerability Scanning
ECR container image scanning on every build pipeline run

AWS Well-Architected Framework Review

Our infrastructure has been independently reviewed against all six pillars of the AWS Well-Architected Framework. Zero high-risk findings across every pillar.

AWS Well-Architected
AWS Well-Architected Review
Staffinity AI Agent Platform  ·  May 2026
0 High Risk 0 Medium Risk 57 Best Practices Met
📄 View Full Report
Operational Excellence
11 / 11 best practices met · zero risks
Security
11 / 11 best practices met · zero risks
Reliability
13 / 13 best practices met · zero risks
Performance Efficiency
5 / 5 best practices met · zero risks
Cost Optimization
11 / 11 best practices met · zero risks
Sustainability
6 / 6 best practices met · zero risks

Per-Client Data Isolation

Every Staffinity client runs in dedicated infrastructure — separate ECS clusters, isolated databases, and client-specific encryption keys. Your data is never co-mingled with another client's data, at any layer of the stack.

AI Provider Commitments

We are transparent about every AI provider we use and their data handling commitments.

Provider Role Data Commitment Certification
Anthropic
Claude AI
 Primary AI model for agent responses and reasoning Data is not used to train shared models. Enterprise data processing agreement in place.
✓ No shared model training
 Enterprise DPA
Amazon Web Services
Infrastructure
 Cloud infrastructure, storage, compute, and networking Data processed under AWS standard DPA. Covered under AWS Enterprise Agreement.
✓ SOC 2 Type II Certified
 SOC 2 Type II
Microsoft Azure
Teams / Identity
 Teams platform integration and Azure AD identity management Data processed under Microsoft Enterprise Agreement and DPA.
✓ ISO 27001 Certified
 ISO 27001
Perplexity AI
Web Search
 Web search capability for agents requiring real-time information Used for search queries only. No conversation content or personal data is transmitted to Perplexity.
✓ No conversation data shared
 Limited Scope

Our Compliance Roadmap

A transparent view of where we are and where we're going.

HIPAA-Ready Architecture
April 2026 · PHI detection, circuit breaker controls, BAA-ready
GDPR Compliant
May 2026 · SCCs in place, DPAs available for all clients
CCPA / CPRA Compliant
May 2026 · No data sale, California privacy rights honored
🔄
SOC 2 Type I In Progress
Q3 2026 · Observation period active, controls monitored
🔄
SOC 2 Type II Planned
Q1 2027 · Full audit with Type I as foundation
📅
ISO 27001
2027 · Information security management certification
📅
ISO 42001 — AI Management
2027 · AI governance and responsible AI management certification

Security Questions?

We're transparent. Reach out any time.

🔒

Security Questions

security@staffinity.io
🛡️

Privacy Requests

privacy@staffinity.io
📄

Request DPA / BAA

privacy@staffinity.io