Compliance

Deeployd provides enterprise-grade compliance features to help you meet regulatory requirements and maintain strong governance over your AI operations.

Supported Frameworks

SOC 2 Type II

Deeployd maintains SOC 2 Type II compliance, covering:

Security: Protection against unauthorized access
Availability: System uptime and reliability
Processing Integrity: Accurate and complete processing
Confidentiality: Protection of confidential information
Privacy: Personal information handling

For European customers, Deeployd supports GDPR compliance:

Data Processing Agreements (DPA) available
Right to erasure (data deletion)
Data portability
Consent management
Data minimization

HIPAA (Business Plan+)

Healthcare customers can achieve HIPAA compliance:

Business Associate Agreement (BAA) available
PHI encryption at rest and in transit
Audit logging for all PHI access
Access controls and authentication

ISO 27001

Deeployd's security practices align with ISO 27001:

Information security management system (ISMS)
Risk assessment and treatment
Security controls and policies
Continuous improvement

Data Handling

Encryption

All data is encrypted:

Data State	Encryption
At Rest	AES-256
In Transit	TLS 1.3
Backups	AES-256
API Keys	Hashed (bcrypt)

Data Residency

Choose where your data is stored:

Region	Location
US	AWS us-east-1 (N. Virginia)
EU	AWS eu-west-1 (Ireland)
APAC	AWS ap-southeast-1 (Singapore)

Enterprise customers can request additional regions.

Data Isolation

Multi-tenant architecture with strict isolation:

Tenant-level database isolation
Separate encryption keys per tenant
Network-level segmentation
No cross-tenant data access

Audit Logging

What's Logged

All sensitive operations are logged:

Category	Events
Authentication	Login, logout, MFA events
Agents	Create, update, delete, execute
Data Access	Memory reads/writes, API calls
Admin Actions	User management, settings changes
Security Events	Failed logins, permission changes

Log Format

{
  "id": "log_abc123",
  "timestamp": "2024-01-15T10:00:00Z",
  "tenantId": "tenant_xyz",
  "userId": "user_456",
  "action": "agent.execute",
  "resourceType": "agent",
  "resourceId": "agent_789",
  "ipAddress": "192.168.1.100",
  "userAgent": "Mozilla/5.0...",
  "success": true,
  "metadata": {
    "agentName": "Support Agent",
    "executionTime": 1500
  }
}

Log Access

const logs = await client.audit.list({
  startDate: '2024-01-01',
  endDate: '2024-01-31',
  action: 'agent.execute',
  userId: 'user-123'
});

Log Export

Export logs to external SIEM systems:

Splunk
Datadog
Sumo Logic
AWS CloudWatch
Custom webhook

Access Controls

Role-Based Access Control (RBAC)

Role	Permissions
Viewer	Read agents, view conversations
Developer	Create/edit agents, run tasks
Admin	Manage users, settings, billing
Owner	Full access, transfer ownership

Custom Roles

Create custom roles for fine-grained control:

await client.roles.create({
  name: 'Support Manager',
  permissions: [
    'agents:read',
    'agents:execute',
    'conversations:read',
    'conversations:write',
    'tasks:read'
  ]
});

IP Allowlisting

Restrict access to specific IP ranges:

await client.security.setIpAllowlist({
  enabled: true,
  ranges: [
    '192.168.1.0/24',
    '10.0.0.0/8'
  ]
});

Retention

Data Retention Policies

Configure how long data is retained:

Data Type	Default Retention	Configurable
Conversation Messages	90 days	Yes
Agent Memory	Indefinite	Yes
Audit Logs	1 year	Yes (min 90 days)
Task Runs	30 days	Yes
Analytics	2 years	Yes

Configure Retention

await client.compliance.setRetentionPolicy({
  conversationMessages: {
    retentionDays: 365,
    deleteAfterExpiry: true
  },
  auditLogs: {
    retentionDays: 730, // 2 years
    archiveAfterDays: 365
  },
  taskRuns: {
    retentionDays: 90
  }
});

Automated Deletion

Enable automatic data deletion:

await client.compliance.enableAutoDeletion({
  enabled: true,
  gracePeriodDays: 7, // Warning before deletion
  notifyAdmins: true
});

Data Export Before Deletion

Export data before automatic deletion:

await client.compliance.setPreDeletionExport({
  enabled: true,
  destination: 's3://your-bucket/exports',
  format: 'json'
});

Legal Hold

Prevent deletion for compliance/legal reasons:

// Place data on legal hold
await client.compliance.createLegalHold({
  name: 'Investigation 2024-001',
  scope: {
    userIds: ['user-123'],
    dateRange: {
      start: '2024-01-01',
      end: '2024-03-31'
    }
  }
});

// Data under hold won't be deleted

Privacy Controls

Data Minimization

Control what data agents can access:

await client.agents.update('agent-123', {
  dataAccess: {
    piiAccess: false,
    allowedFields: ['name', 'email'],
    blockedFields: ['ssn', 'credit_card']
  }
});

Track user consent:

await client.privacy.recordConsent({
  userId: 'user-123',
  consentType: 'data_processing',
  granted: true,
  timestamp: new Date().toISOString(),
  source: 'web_form'
});

Data Subject Requests

Handle GDPR/CCPA requests:

// Right to access
const data = await client.privacy.exportUserData('user-123');

// Right to erasure
await client.privacy.deleteUserData('user-123', {
  includeConversations: true,
  includeMemory: true,
  retainAuditLogs: true // May be required for compliance
});

// Right to portability
const export = await client.privacy.exportPortable('user-123', {
  format: 'json',
  includeAgentInteractions: true
});

Certifications & Reports

Available Documents

Document	Availability
SOC 2 Type II Report	On request (NDA)
Penetration Test Summary	On request
Privacy Policy	Public
Terms of Service	Public
DPA	On request
BAA (HIPAA)	Enterprise only

Request Documents

Contact compliance@deeployd.com or through the Dashboard:

Go to Settings → Security
Click Compliance Documents
Request specific documents

Compliance Dashboard

Monitor your compliance posture:

Go to Settings → Compliance
View compliance score
See outstanding items
Download reports

Compliance Score

Your compliance score is based on:

MFA adoption rate
SSO configuration
Audit log retention
Data retention policies
IP allowlisting
Role configuration

Best Practices

1. Enable MFA

Require MFA for all users, especially admins.

2. Use SSO

Integrate with your identity provider for centralized access control.

3. Configure Retention

Set appropriate retention policies for your compliance needs.

4. Monitor Audit Logs

Regularly review audit logs for suspicious activity.

5. Limit Permissions

Follow the principle of least privilege for user roles.

6. Regular Access Reviews

Periodically review who has access to what.

Next: Learn about Audit Logs for detailed activity tracking.

Supported Frameworks​

SOC 2 Type II​

GDPR​

HIPAA (Business Plan+)​

ISO 27001​

Data Handling​

Encryption​

Data Residency​

Data Isolation​

Audit Logging​

What's Logged​

Log Format​

Log Access​

Log Export​

Access Controls​

Role-Based Access Control (RBAC)​

Custom Roles​

IP Allowlisting​

Retention​

Data Retention Policies​

Configure Retention​

Automated Deletion​

Data Export Before Deletion​

Legal Hold​

Privacy Controls​

Data Minimization​

Consent Management​

Data Subject Requests​

Certifications & Reports​

Available Documents​

Request Documents​

Compliance Dashboard​

Compliance Score​

Best Practices​

1. Enable MFA​

2. Use SSO​

3. Configure Retention​

4. Monitor Audit Logs​

5. Limit Permissions​

6. Regular Access Reviews​