AuraOne maintains a security program for high-stakes AI workflows where evaluations, human review, approvals, and evidence exports remain connected. This page summarizes the legal and buyer-review posture. Detailed deployment and control materials are shared during procurement or security review because the relevant answers depend on the program boundary, deployment model, and regulated context.
Independent attestation across security, availability, and confidentiality.
Administrative, technical, and physical safeguards for protected health workflows.
Data subject rights, residency, and processor obligations honored by design.
Attestations and alignments below match the compliance badges in the footer. Each card anchors a section further down with the relevant control map.
Trust Services Criteria covering security, availability, and confidentiality. Reports shared under NDA during security review.
Administrative, technical, and physical safeguards mapped to the HIPAA Security Rule. BAAs available for in-scope deployments.
Data subject rights, lawful basis, residency, and sub-processor disclosures handled at the program scope, not the marketing page.
The control framework is not a marketing surface. These are the controls a buyer security team will ask about, mapped to the workflow boundary AuraOne actually operates inside.
Encryption in transit and at rest across the core platform boundary. Key rotation, scope, and customer-managed key options reviewed per deployment.
Least-privilege access for operators, reviewers, and administrators. Role-based permissions aligned to workflow ownership and release approvals. Enterprise identity options discussed during procurement.
Security and workflow events stay visible in the same audit trail. Escalations, approvals, and review actions are captured as part of the evidence trail.
Documented internal procedures cover triage, scope confirmation, customer notification, and post-incident review. Disclosure follow-up routes through the security channel.
Program-specific retention and deletion workflows scoped during onboarding. Clear handling boundaries for uploaded data, evidence exports, and reviewer access.
The deep links from the compliance badges (#soc2, #hipaa, #gdpr) resolve to the sections below. Each entry summarizes scope and obligations without re-stating the full evidence packet.
SOC 2 covers how AuraOne operates the platform — who has access, how changes ship, how incidents get handled. The attestation is renewed yearly by an independent auditor.
AuraOne supports HIPAA-aligned deployments where the program scope includes protected health information. Safeguards are mapped to the HIPAA Security Rule and reviewed during onboarding.
AuraOne processes customer data as a processor under GDPR. Data subject rights, lawful basis, residency, and sub-processor disclosure are handled at the program scope.
For procurement, trust review, or responsible disclosure, use the security channel or book a buyer-readiness review. We will match the materials to your workflow, regulated context, and deployment plan.