Compliance & Certifications
Our current compliance posture and certifications in place.
We are currently in our SOC 2 observation period. Type I audit is targeted for Q3 2026, with Type II certification planned for Q1 2027. Our controls are monitored continuously via automated compliance tooling.
Staffinity processes data in accordance with GDPR requirements. Our public DPA covers all clients. EU–US transfers use Standard Contractual Clauses (2021 SCCs).
View DPA →Staffinity complies with California Consumer Privacy Act requirements. We do not sell or share personal information. California residents may submit data requests to privacy@staffinity.io.
Your CA RightsStaffinity offers a HIPAA-ready deployment option for healthcare clients, including PHI detection, circuit breaker controls, and Business Associate Agreements (BAAs) for covered entities and business associates.
Request BAAStaffinity provides the technical infrastructure broker-dealers need to support their FINRA recordkeeping obligations — including verbatim conversation archiving in WORM-compliant storage meeting SEC Rule 17a-4(f), per-interaction HMAC integrity sealing, 6-year COMPLIANCE-mode retention, and alignment with FINRA Regulatory Notice 24-09 AI guidance. Activated via a signed FINRA Client Addendum.
Request FINRA AddendumStaffinity is among the first agentic AI vendors to achieve compliance with Anthropic's Zero Trust for AI Agents Foundation guideline — and has built architecture that exceeds Foundation requirements across all four pillars.
View How We Comply →Enterprise AWS Infrastructure
Built on AWS with enterprise-grade controls at every layer.
Anthropic Zero Trust for AI Agents — Foundation Compliant
How Staffinity meets and exceeds each Foundation-level requirement.
AWS Well-Architected Framework Review
Our infrastructure has been independently reviewed against all six pillars of the AWS Well-Architected Framework. Zero high-risk findings across every pillar.
Per-Client Data Isolation
Every Staffinity client runs in dedicated infrastructure — separate ECS clusters, isolated databases, and client-specific encryption keys. Your data is never co-mingled with another client's data, at any layer of the stack.
Guidance jointly published by G7 Cybersecurity Working Group · France 2026 Presidency
Software Bill of Materials for AI (SBOM for AI)
Transparency and traceability across Staffinity's AI supply chain — aligned with G7 minimum elements guidance.
Staffinity's SBOM for AI is prepared in accordance with the G7 Cybersecurity Working Group's SBOM for AI Minimum Elements guidance (2026), jointly published by CISA, NCSC, BSI, ANSSI, ACN, CSE, NCO, and the EU Commission. We are among the first AI agent vendors to publish a machine-readable SBOM for AI.
Download SBOM (CycloneDX JSON)Our SBOM for AI documents all 7 G7 clusters: Metadata, System Level Properties, Models (Claude Sonnet 4.6, AWS Titan Embed V2), Datasets, Infrastructure (dedicated per-client AWS accounts), Security Properties (Entra ID RBAC, KMS encryption, WORM audit trail, prompt injection controls), and Key Performance Indicators.
Staffinity's primary reasoning model is Anthropic® Claude Sonnet 4.6. Client data is never used to train AI models — enforced through Anthropic's Enterprise DPA and GLBA addendum. Model weights for hosted API models are proprietary to their respective vendors, consistent with G7 guidance limitations for third-party models.
Every agent deployment includes: AES-256 KMS encryption (per-client CMK), TLS 1.3 in transit, Entra ID role-based access control, per-user rate limiting, prompt injection content boundaries, PII detection, and a full interaction audit trail in WORM-compliant storage.
Note on model hash values: Hash values for model weights are not available for hosted API models (Anthropic Claude, AWS Titan Embed) as the weights are proprietary to the respective vendors. This is a known limitation documented in G7 SBOM for AI guidance for third-party hosted models. Staffinity documents this limitation transparently in our published SBOM.
AI Provider Commitments
We are transparent about every AI provider we use and their data handling commitments.
| Provider | Role | Data Commitment | Certification |
|---|---|---|---|
Anthropic Claude AI |
Primary AI model for agent responses and reasoning | Data is not used to train shared models. Enterprise data processing agreement in place. ✓ No shared model training |
Enterprise DPA |
Amazon Web Services Infrastructure |
Cloud infrastructure, storage, compute, and networking | Data processed under AWS standard DPA. Covered under AWS Enterprise Agreement. ✓ SOC 2 Type II Certified |
SOC 2 Type II |
Microsoft Azure Teams / Identity |
Teams platform integration and Azure AD identity management | Data processed under Microsoft Enterprise Agreement and DPA. ✓ ISO 27001 Certified |
ISO 27001 |
Perplexity AI Web Search |
Web search capability for agents requiring real-time information | Used for search queries only. No conversation content or personal data is transmitted to Perplexity. ✓ No conversation data shared |
Limited Scope |
Compliance Framework Alignments
Independently documented alignment with key regulatory and industry frameworks. All reports publicly available.
Staffinity maps to all four functions of the NIST AI Risk Management Framework 1.0 — Govern, Map, Measure, and Manage — across 27 documented controls.
View Report →Staffinity supports FINRA member firm clients with platform controls aligned to Rule 4370 (BCP), Regulatory Notice 24-09 (AI), Rule 3110 (Supervision), and SEC Rule 17a-4 (Records).
View Report →Formal risk classification confirms Staffinity agents are Limited Risk under Regulation (EU) 2024/1689. All Article 50 transparency obligations met. Not classified as High Risk.
View Report →Our Compliance Roadmap
A transparent view of where we are and where we're going.
Security Questions?
We're transparent. Reach out any time.