Compliance

Twig AI maintains rigorous compliance with industry standards and regulations to protect your data and meet enterprise requirements.

Certifications & Standards

SOC 2 Type II

Status: ✅ Certified (audited annually)

Covers:

• Security

• Availability

• Processing Integrity

• Confidentiality

• Privacy

Audit Firm: [Major accounting firm] Report: Available under NDA upon request

Controls:

• Access controls

• Encryption

• Network security

• Incident response

• Change management

• Monitoring and logging

ISO 27001

Status: 🔄 In progress (certification expected Q2 2024)

Information Security Management System covering:

• Risk assessment

• Security policies

• Asset management

• Access control

• Cryptography

• Incident management

GDPR (General Data Protection Regulation)

Status: ✅ Compliant

Requirements Met:

• Lawful basis for processing

• Consent management

• Data subject rights

  • Right to access

  • Right to deletion

  • Right to portability

  • Right to rectification

• Data Protection Impact Assessments (DPIA)

• Data Processing Agreements (DPA)

• Breach notification (< 72 hours)

• Privacy by design and default

• Data Protection Officer appointed

DPA: Available at legal.twig.so/dpa

CCPA (California Consumer Privacy Act)

Status: ✅ Compliant

Rights Provided:

• Right to know what data is collected

• Right to delete personal information

• Right to opt-out of sale (we don't sell data)

• Right to non-discrimination

• Right to correct inaccurate information

Privacy Notice: privacy.twig.so

HIPAA (Health Insurance Portability and Accountability Act)

Status: ✅ Available for Enterprise customers

Requirements:

• Business Associate Agreement (BAA)

• Administrative safeguards

• Physical safeguards

• Technical safeguards

  • Access controls

  • Audit controls

  • Integrity controls

  • Transmission security

• Breach notification

• Minimum necessary standard

BAA Process:

1. Contact [email protected]

2. Sign Business Associate Agreement

3. HIPAA-compliant infrastructure provisioned

4. Additional security controls enabled

5. Regular compliance audits

Use Cases:

• Healthcare providers

• Health insurance

• Healthcare clearinghouses

• Business associates handling PHI

PCI DSS (Payment Card Industry Data Security Standard)

Status: Not applicable (we don't handle payment cards)

Payment Processing:

• Handled by Stripe (PCI Level 1 compliant)

• No card data touches our servers

• Secure tokenization

Regional Compliance

European Union

GDPR Coverage:

• Data residency in EU (Frankfurt)

• EU-based support team available

• Standard Contractual Clauses (SCC)

• Transfers outside EU require approval

Representative: EU representative appointed as required

United Kingdom (UK GDPR)

Status: ✅ Compliant

Post-Brexit compliance:

• UK representative appointed

• ICO registration

• UK-specific DPA available

Canada (PIPEDA)

Status: ✅ Compliant

• Consent for collection

• Purpose specification

• Limited collection

• Accuracy

• Safeguards

• Openness

• Individual access

• Challenging compliance

Australia (Privacy Act)

Status: ✅ Compliant

Australian Privacy Principles (APPs) covered.

Industry-Specific Compliance

Financial Services

SOX (Sarbanes-Oxley):

• Audit trails

• Data integrity

• Access controls

• Change management

GLBA (Gramm-Leach-Bliley):

• Information security program

• Safeguard customer data

• Privacy notices

Government

FedRAMP: Status: 🔄 Roadmap (for gov customers)

ITAR: Not certified (contact for defense use cases)

Education

FERPA:

• Student record protection

• Access limitations

• Directory information controls

COPPA:

• Parental consent (users under 13)

• Data minimization

• Secure deletion

Compliance Tools

Data Processing Agreement (DPA)

Download: Available in Settings → Legal

Covers:

• Roles and responsibilities

• Data processing terms

• Security measures

• Sub-processors

• Data subject rights

• Audit rights

Sub-Processors

We use these sub-processors:

List: Updated at legal.twig.so/subprocessors

Security Questionnaires

Need security assessment?

• Standard questionnaire: Auto-filled via Trust Center

• Custom questionnaire: Email to [email protected]

• Typical turnaround: 3-5 business days

Audit & Reporting

Compliance Reports

Available reports:

• SOC 2 Type II report

• Penetration test results (annual)

• Vulnerability scan results (quarterly)

• Compliance certifications

• Security whitepaper

Access: Contact [email protected]

Regular Audits

Internal:

• Quarterly security reviews

• Monthly access audits

• Weekly vulnerability scans

External:

• Annual SOC 2 audit

• Annual penetration testing

• Quarterly compliance reviews

Audit Logs

All compliance-relevant activities logged:

• Data access

• Configuration changes

• User management

• Permission modifications

• Data exports/deletions

• Security events

Retention: 7 years for compliance purposes

Your Compliance Obligations

As a Customer

When using Twig AI, you should:

✅ Provide Accurate Information

• During registration

• In data processing agreements

✅ Secure Your Account

• Strong passwords

• Enable MFA

• Protect API keys

✅ Manage User Access

• Review permissions regularly

• Remove inactive users

• Follow least privilege

✅ Monitor Usage

• Review audit logs

• Investigate anomalies

• Report security incidents

✅ Understand Data Flows

• Know what data you're uploading

• Classify data appropriately

• Apply proper controls

Data Subject Requests

Handling User Requests

When end-users request data/deletion:

1. Verify Identity: Confirm requestor identity

2. Locate Data: Use search tools

3. Fulfill Request:

   • Access: Export data

   • Deletion: Anonymize or delete

   • Correction: Update records

4. Timeline: 30 days (GDPR), 45 days (CCPA)

5. Document: Log request fulfillment

Tool Support:

Automated DSR Processing

Breach Notification

Our Process

If breach occurs:

1. < 1 hour: Detect and contain

2. < 6 hours: Assess scope

3. < 72 hours: Notify affected parties and authorities

4. < 7 days: Publish incident report

What We Notify

• What happened

• What data was affected

• What we've done

• What you should do

• How to contact us

Industry Best Practices

For Healthcare

✅ HIPAA BAA required ✅ Minimum necessary access ✅ Encrypted storage ✅ Audit trails ✅ Access controls ✅ Breach notification procedures

For Finance

✅ SOX controls ✅ GLBA safeguards ✅ Data integrity ✅ Audit trails ✅ Access reviews

For Education

✅ FERPA compliance ✅ COPPA for minors ✅ Student data protection ✅ Parental consent mechanisms

Compliance Checklist

Before deploying Twig AI:

• Review privacy policy

• Sign DPA (if required)

• Configure data residency

• Enable appropriate privacy controls

• Train team on data handling

• Set up audit logging

• Define incident response plan

• Document data flows

• Classify data sensitivity

• Configure retention policies

• Enable MFA for admins

• Review sub-processor list

• Understand LLM provider usage

• Set up breach notification contacts

Next Steps

• Data Privacy - Privacy controls

• Security Best Practices - Harden security

• Authentication - Access control

• SSO Integration - Enterprise authentication

Contact

Compliance Questions: [email protected] DPA Requests: [email protected] Security Questions: [email protected]