# Compliance

Twig AI maintains rigorous compliance with industry standards and regulations to protect your data and meet enterprise requirements.

## Certifications & Standards

### SOC 2 Type II

**Status:** ✅ Certified (audited annually)

**Covers:**

* Security
* Availability
* Processing Integrity
* Confidentiality
* Privacy

**Audit Firm:** \[Major accounting firm] **Report:** Available under NDA upon request

**Controls:**

* Access controls
* Encryption
* Network security
* Incident response
* Change management
* Monitoring and logging

### ISO 27001

**Status:** 🔄 In progress (certification expected Q2 2024)

Information Security Management System covering:

* Risk assessment
* Security policies
* Asset management
* Access control
* Cryptography
* Incident management

### GDPR (General Data Protection Regulation)

**Status:** ✅ Compliant

**Requirements Met:**

* Lawful basis for processing
* Consent management
* Data subject rights
  * Right to access
  * Right to deletion
  * Right to portability
  * Right to rectification
* Data Protection Impact Assessments (DPIA)
* Data Processing Agreements (DPA)
* Breach notification (< 72 hours)
* Privacy by design and default
* Data Protection Officer appointed

**DPA:** Available at [legal.twig.so/dpa](https://legal.twig.so/dpa)

### CCPA (California Consumer Privacy Act)

**Status:** ✅ Compliant

**Rights Provided:**

* Right to know what data is collected
* Right to delete personal information
* Right to opt-out of sale (we don't sell data)
* Right to non-discrimination
* Right to correct inaccurate information

**Privacy Notice:** [privacy.twig.so](https://privacy.twig.so)

### HIPAA (Health Insurance Portability and Accountability Act)

**Status:** ✅ Available for Enterprise customers

**Requirements:**

* Business Associate Agreement (BAA)
* Administrative safeguards
* Physical safeguards
* Technical safeguards
  * Access controls
  * Audit controls
  * Integrity controls
  * Transmission security
* Breach notification
* Minimum necessary standard

**BAA Process:**

1. Contact <sales@twig.so>
2. Sign Business Associate Agreement
3. HIPAA-compliant infrastructure provisioned
4. Additional security controls enabled
5. Regular compliance audits

**Use Cases:**

* Healthcare providers
* Health insurance
* Healthcare clearinghouses
* Business associates handling PHI

### PCI DSS (Payment Card Industry Data Security Standard)

**Status:** Not applicable (we don't handle payment cards)

**Payment Processing:**

* Handled by Stripe (PCI Level 1 compliant)
* No card data touches our servers
* Secure tokenization

## Regional Compliance

### European Union

**GDPR Coverage:**

* Data residency in EU (Frankfurt)
* EU-based support team available
* Standard Contractual Clauses (SCC)
* Transfers outside EU require approval

**Representative:** EU representative appointed as required

### United Kingdom (UK GDPR)

**Status:** ✅ Compliant

Post-Brexit compliance:

* UK representative appointed
* ICO registration
* UK-specific DPA available

### Canada (PIPEDA)

**Status:** ✅ Compliant

* Consent for collection
* Purpose specification
* Limited collection
* Accuracy
* Safeguards
* Openness
* Individual access
* Challenging compliance

### Australia (Privacy Act)

**Status:** ✅ Compliant

Australian Privacy Principles (APPs) covered.

## Industry-Specific Compliance

### Financial Services

**SOX (Sarbanes-Oxley):**

* Audit trails
* Data integrity
* Access controls
* Change management

**GLBA (Gramm-Leach-Bliley):**

* Information security program
* Safeguard customer data
* Privacy notices

### Government

**FedRAMP:** Status: 🔄 Roadmap (for gov customers)

**ITAR:** Not certified (contact for defense use cases)

### Education

**FERPA:**

* Student record protection
* Access limitations
* Directory information controls

**COPPA:**

* Parental consent (users under 13)
* Data minimization
* Secure deletion

## Compliance Tools

### Data Processing Agreement (DPA)

**Download:** Available in Settings → Legal

**Covers:**

* Roles and responsibilities
* Data processing terms
* Security measures
* Sub-processors
* Data subject rights
* Audit rights

### Sub-Processors

We use these sub-processors:

| Name     | Purpose            | Location |
| -------- | ------------------ | -------- |
| AWS      | Infrastructure     | Global   |
| OpenAI   | LLM processing     | US       |
| Pinecone | Vector database    | US       |
| Stripe   | Payment processing | Global   |

**List:** Updated at [legal.twig.so/subprocessors](https://legal.twig.so/subprocessors)

### Security Questionnaires

**Need security assessment?**

* Standard questionnaire: Auto-filled via Trust Center
* Custom questionnaire: Email to <security@twig.so>
* Typical turnaround: 3-5 business days

## Audit & Reporting

### Compliance Reports

Available reports:

* SOC 2 Type II report
* Penetration test results (annual)
* Vulnerability scan results (quarterly)
* Compliance certifications
* Security whitepaper

**Access:** Contact <compliance@twig.so>

### Regular Audits

**Internal:**

* Quarterly security reviews
* Monthly access audits
* Weekly vulnerability scans

**External:**

* Annual SOC 2 audit
* Annual penetration testing
* Quarterly compliance reviews

### Audit Logs

All compliance-relevant activities logged:

* Data access
* Configuration changes
* User management
* Permission modifications
* Data exports/deletions
* Security events

**Retention:** 7 years for compliance purposes

## Your Compliance Obligations

### As a Customer

When using Twig AI, you should:

✅ **Provide Accurate Information**

* During registration
* In data processing agreements

✅ **Secure Your Account**

* Strong passwords
* Enable MFA
* Protect API keys

✅ **Manage User Access**

* Review permissions regularly
* Remove inactive users
* Follow least privilege

✅ **Monitor Usage**

* Review audit logs
* Investigate anomalies
* Report security incidents

✅ **Understand Data Flows**

* Know what data you're uploading
* Classify data appropriately
* Apply proper controls

## Data Subject Requests

### Handling User Requests

When end-users request data/deletion:

1. **Verify Identity**: Confirm requestor identity
2. **Locate Data**: Use search tools
3. **Fulfill Request**:
   * Access: Export data
   * Deletion: Anonymize or delete
   * Correction: Update records
4. **Timeline**: 30 days (GDPR), 45 days (CCPA)
5. **Document**: Log request fulfillment

**Tool Support:**

```
Settings → Privacy → Data Subject Requests
→ Search by email
→ Generate report or delete
```

### Automated DSR Processing

```bash
# Via API
curl -X POST https://api.twig.so/api/privacy/dsr \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{
    "type": "ACCESS",
    "email": "user@example.com",
    "verificationCode": "abc123"
  }'
```

## Breach Notification

### Our Process

**If breach occurs:**

1. **< 1 hour**: Detect and contain
2. **< 6 hours**: Assess scope
3. **< 72 hours**: Notify affected parties and authorities
4. **< 7 days**: Publish incident report

### What We Notify

* What happened
* What data was affected
* What we've done
* What you should do
* How to contact us

## Industry Best Practices

### For Healthcare

✅ HIPAA BAA required ✅ Minimum necessary access ✅ Encrypted storage ✅ Audit trails ✅ Access controls ✅ Breach notification procedures

### For Finance

✅ SOX controls ✅ GLBA safeguards ✅ Data integrity ✅ Audit trails ✅ Access reviews

### For Education

✅ FERPA compliance ✅ COPPA for minors ✅ Student data protection ✅ Parental consent mechanisms

## Compliance Checklist

Before deploying Twig AI:

* [ ] Review privacy policy
* [ ] Sign DPA (if required)
* [ ] Configure data residency
* [ ] Enable appropriate privacy controls
* [ ] Train team on data handling
* [ ] Set up audit logging
* [ ] Define incident response plan
* [ ] Document data flows
* [ ] Classify data sensitivity
* [ ] Configure retention policies
* [ ] Enable MFA for admins
* [ ] Review sub-processor list
* [ ] Understand LLM provider usage
* [ ] Set up breach notification contacts

## Next Steps

* [Data Privacy](/product/security/data-privacy.md) - Privacy controls
* [Security Best Practices](/product/security/best-practices.md) - Harden security
* [Authentication](/product/security/authentication-authorization.md) - Access control
* [SSO Integration](/product/security/sso-integration.md) - Enterprise authentication

## Contact

**Compliance Questions:** <compliance@twig.so> **DPA Requests:** <legal@twig.so> **Security Questions:** <security@twig.so>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.twig.so/product/security/compliance.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.