Trust Center

Compliance Health aligns security, privacy, and governance controls with ISO‑42001 so that AI-assisted workflows never bypass human oversight. The alpha launch keeps 100% human review while laying the groundwork for formal certification.

Data residency & encryption

All application, document, and log data is stored in ca-central-1 with KMS-managed keys. TLS 1.2+, HSTS, and secure cookies are enforced end-to-end.

Least privilege & secrets

Service accounts use short-lived IAM roles, CI/CD assumes roles via OIDC, and secrets live in AWS Parameter Store / GitHub OIDC (no long-lived keys).

Human reviewers & audit trail

Every decision records who reviewed the document, what actions were taken, and why. Reviewer SOPs, escalation paths, and periodic access reviews are in place.

ISO‑42001-lite program

Risk register, model governance templates, change control, and incident response artifacts ship with the alpha rail. Certification will follow once production evidence accumulates.

Runbooks & drills

On-call, incident, data subject request, and restore runbooks are validated through the Nov 24+ dry runs and Nov 28 go/no-go rehearsal.

Monitoring & alerting

SLO dashboards track ingest latency, queue depth, reviewer throughput, and webhook reliability. Alerts flow to the on-call rotation with pager + Slack redundancy.

Runbooks on deck

On-call rotations with incident severities, comms templates, and PagerDuty integrations.
Incident response / post-incident review, covering containment, communication, and evidence capture.
Data subject request and deletion workflow with audit checkpoints.
Backup + restore validation (daily snapshots, weekly restore drills).
Alpha onboarding guide for admins, reviewers, and compliance officers.

Contact

Need a deeper review of our controls? Email trust@compliancehealth.ca.