Home | Compliance Reports
Effective January 1, 2026

Compliance Reports

Detailed In Design LLC - SolaceSentry

Public compliance overview describing the standards, certifications, and attestations that SolaceSentry is built to. This document covers data privacy, healthcare regulations, financial services requirements, and information security best practices.

Effective Date: January 1, 2026

1. Compliance Overview

SolaceSentry is designed from the ground up for safety-critical domains. Our compliance program covers data privacy, healthcare regulations, financial services requirements, and information security best practices.

As a violation-detection AI system operating across 25 safety domains -- including healthcare, financial, and autonomous systems -- we hold ourselves to the highest standards of data protection, processing integrity, and transparency.

Privacy & Data Protection

ICDPA compliant, data minimization, consumer rights

Healthcare (HIPAA)

Built to HIPAA standards, BAA available for Enterprise

Information Security

SOC 2 Type II designed, audit planned

Processing Integrity

8 hard invariants, deterministic, no black box

2. HIPAA Compliance

Built to HIPAA Standards Healthcare Domains

Business Associate Agreement (BAA)

A Business Associate Agreement is available for customers on the Enterprise Security tier. Contact support@solacesentry.com to request a BAA.

Administrative Safeguards

  • Employee training on HIPAA requirements and data handling procedures
  • Role-based access controls with principle of least privilege
  • Documented incident response procedures
  • Regular risk assessments and security reviews

Physical Safeguards

Data is hosted in Hetzner ISO 27001 certified data centers (Falkenstein/Helsinki EU regions). Physical access controls, environmental protections, and facility security are managed by Hetzner under their ISO 27001 compliance program.

Technical Safeguards

Encryption at rest (AES-256)
Encryption in transit (TLS 1.2+)
API key hashing (SHA-256) -- keys never stored in plaintext
Fernet encryption for sensitive fields (SSH keys, DB credentials)
Role-based access control
Audit logging with 7-year retention (Enterprise tier)
Automatic session expiry (30-minute access tokens, 7-day refresh tokens)

PHI Handling

Customer observation data is processed in-memory for violation detection. No PHI is used for model training. Strict data isolation is maintained between tenants at all times.

Note: SolaceSentry is built to HIPAA standards but is not yet independently audited. Enterprise customers requiring formal HIPAA certification should contact us at support@solacesentry.com for the current audit timeline.

3. SOC 2 Readiness

Audit Planned Designed to SOC 2 Type II Standards

SolaceSentry is designed to meet all five SOC 2 Trust Service Criteria. An independent SOC 2 Type II audit is planned for Q2-Q3 2026.

Security

Encryption (AES-256 at rest, TLS 1.2+ in transit), role-based access controls, SHA-256 API key management, network firewalls, and vulnerability management.

Availability

99.9% uptime SLA (Enterprise tier), redundant infrastructure, health monitoring endpoints, and documented incident response procedures.

Processing Integrity

8 hard invariants ensuring deterministic processing, evidence immutability, and narrative grounding. Every inference is fully explainable with a complete decision trace.

Confidentiality

Data isolation per tenant, encrypted storage, no cross-tenant data access. API keys are SHA-256 hashed and never stored in plaintext.

Privacy

ICDPA compliance, data minimization, consumer rights support (access, correction, deletion, portability, opt-out).

Note: Independent SOC 2 Type II audit is planned for Q2-Q3 2026. Contact support@solacesentry.com for timeline updates and to request the report under NDA when available.

4. Indiana Consumer Data Protection Act (ICDPA)

Compliant Effective January 1, 2026

Consumer Rights Supported

1 Access -- Right to know what data is collected
2 Correction -- Right to correct inaccurate data
3 Deletion -- Right to request data deletion
4 Portability -- Right to export data
5 Opt-Out -- Right to opt out of data processing for targeted advertising

Data Processing Practices

  • Minimal collection: We collect only the data necessary to provide the service
  • Purpose-limited: Data is used exclusively for violation detection and reporting
  • No data sales: We do not sell consumer data to third parties
  • No targeted advertising: We do not use customer data for advertising purposes

Exercising Your Rights

Privacy Notice

/privacy

Rights Requests

support@solacesentry.com

Response Timeline

45 days from receipt of verified request

5. Data Security Controls

Comprehensive security controls are implemented across all layers of the SolaceSentry platform.

Control Implementation Status
Encryption at Rest AES-256 via Hetzner managed encryption Active
Encryption in Transit TLS 1.2+ on all endpoints Active
API Key Security SHA-256 hashing, never stored plaintext Active
Sensitive Field Encryption Fernet symmetric encryption Active
Network Isolation Hetzner network isolation, Cloud Firewall (Enterprise) Active
Access Control JWT-based auth, RBAC for admin Active
Audit Logging All API calls and admin actions logged Active
Session Management 30-min access tokens, HttpOnly cookies Active
Input Validation Request schema validation on all endpoints Active
Dependency Security GitHub Dependabot, CI security scanning Active
Incident Response Documented procedures, <15min P1 response (Enterprise) Active
Backup & Recovery Automated DB backups, point-in-time recovery Active
Deterministic Processing 8 hard invariants, no black-box decisions Active

6. Infrastructure Security

Cloud Provider

Hetzner

ISO 27001 certified

Region

Falkenstein / Helsinki

EU (Germany / Finland)

Kubernetes

Self-managed Kubernetes (k3s)

Network policies enforced

Firewall

Cloud Firewall

NodePort access restricted to authorized IPs only

DDoS Protection

Cloudflare DNS + Hetzner

Multi-layer DDoS mitigation

Container Security

GitHub Container Registry (ghcr.io)

Image scanning enabled

Secrets Management

Environment-Based Secrets

Secrets are never stored in source code. Managed via environment variables with Fernet encryption for sensitive configuration values.

7. AI Model Safety

Custom-Trained Models

All models used by SolaceSentry are custom-trained, open-weights transformers. No third-party LLM APIs are used for core inference. This gives us complete control over model behavior, eliminates external dependencies, and ensures reproducibility.

350M

Main Transformer

~50M

Judge Transformers (x4)

25

Safety Domains

8 Hard Invariants

Deterministic safety guarantees that cannot be bypassed regardless of input, configuration, or system state:

1

Sparse Gate

Fast-path for trivial observations

2

No-Decay Evidence

Evidence weights never decrease

3

Lazy Staleness

Stale evidence detected lazily

4

Fast Gate Before Planning

Planning only when needed

5

Planning Gated

Crisis check before planning

6

Max 2 Narrative Attempts

Bounded generation with deterministic fallback

7

Record Immutability

Records cannot be modified after creation

8

Narrative Reads Record Only

Narratives grounded in evidence

Asymmetric Loss Training

Judge transformers are trained with asymmetric loss -- missing a VETO costs rho2 more than a false alarm. The system is designed to err on the side of safety. VETO recall is held to a minimum of 99% across all judges.

No Black Box

Full decision trace and explainability for every single inference. DecisionTrace includes all judge votes, evidence weights, classification reasoning, and tribunal outcome. Nothing is opaque.

8. Penetration Testing & Vulnerability Management

Security Testing

External Pentest Planned

Internal security testing is performed on an ongoing basis. An external penetration test by a qualified third party is planned as part of our SOC 2 audit preparation.

Adversarial Testing

Our scientific benchmark suite includes adversarial testing with 200+ OWASP-taxonomy attack vectors across 7 categories. Result: 0% classification influence -- adversarial payloads have zero effect on violation detection outcomes.

200+ Vectors 7 Categories 0% Influence

Vulnerability Reporting

Bug Bounty

Not currently offered

Responsible disclosure appreciated

9. Compliance Roadmap

Q1 2026

Complete
  • ICDPA compliance
  • HIPAA technical controls implemented

Q2 2026

Planned
  • SOC 2 Type II audit engagement

Q3 2026

Planned
  • SOC 2 Type II report available under NDA

Q4 2026

Evaluating
  • HITRUST CSF assessment

2027

Evaluating
  • Potential ISO 27001 certification

10. Requesting Compliance Documentation

Publicly Available

Privacy Policy

Data collection, usage, and consumer rights

View

Terms of Service

Service terms, acceptable use, and limitations

View

Service Level Agreement (SLA)

Uptime commitments, response times, and remedies

View

Available on Request

Business Associate Agreement (BAA)

Available for Enterprise Security tier customers

Contact

SOC 2 Type II Report

Available under NDA when completed

Contact

Data Processing Agreement (DPA)

Available for all tiers on request

Contact

Security Questionnaire

We can complete your organization's security questionnaire

Contact

For compliance questions, audit requests, or to discuss your organization's requirements:

support@solacesentry.com

This compliance overview is maintained by Detailed In Design LLC. Last updated: January 2026. For the most current information, contact support@solacesentry.com.