Compliance

SOC 2

Status

BehalfID has not yet completed a SOC 2 Type II audit. We are currently implementing the organizational and technical controls required to achieve SOC 2 Type II certification across the Security, Availability, and Confidentiality trust service criteria.

Controls in place

The following SOC 2-relevant controls are already operational:

• CC6 — Logical and physical access controls. Access to production systems is restricted to authorized personnel. API keys are one-way hashed; session tokens are HTTP-only and short-lived.
• CC7 — System operations. Audit logs record every permission decision with a stable request ID, timestamp, agent, action, and outcome. Logs are retained for 90 days.
• CC9 — Risk mitigation. Rate limiting, HMAC-verified webhooks, and fail-closed enforcement are built into the verification API.
• A1 — Availability. The service is hosted on Vercel with automatic redundancy and global edge delivery. MongoDB Atlas provides managed database availability.
• C1 — Confidentiality. Secrets (API keys, webhook signing secrets, passport tokens) are hashed or stored only by the processor (Stripe). No plaintext secrets are stored.

In progress

• Formal information security policy and risk register
• Vendor risk assessments for all sub-processors
• Employee security awareness training program
• Incident response and business continuity plan
• Change management policy and access review cadence
• Third-party penetration test
• Engagement with a licensed CPA firm for Type II audit

If your organization requires SOC 2 documentation or has a questionnaire, contact legal@behalfid.com.

ISO 27001

Status

BehalfID has not yet obtained ISO 27001 certification. ISO 27001 requires establishing a formal Information Security Management System (ISMS) and undergoing an accredited third-party audit. We are building the controls foundation required for future certification.

Annex A alignment

The following ISO 27001:2022 Annex A control families are partially or fully addressed in the current build:

• A.5 — Organizational controls. Acceptable use policy embedded in Terms of Service (§5). Data classification implicit in retention schedules.
• A.8 — Asset management. All data categories documented in the Privacy Policy. Retention and deletion schedules defined.
• A.5.14 — Information transfer. All data in transit over TLS; webhooks signed with HMAC-SHA256; secrets never transmitted in plaintext after issuance.
• A.8.5 — Secure authentication. Passwords hashed with scrypt; session tokens HTTP-only; API keys stored as SHA-256 hashes only.
• A.8.15 — Logging. Audit logs for every verification decision; consent state logged server-side; 90-day retention with automatic purge.
• A.5.29 — Information security during disruption. Rate limiting and fail-closed enforcement prevent abuse during outages or attacks.

Gaps being addressed

• Formal ISMS scope document and policy hierarchy
• Statement of Applicability (SoA)
• Asset register and risk treatment plan
• Internal audit cadence and management review process
• Supplier security evaluation policy (A.5.19–A.5.22)

HIPAA

Status

BehalfID does not collect, store, or process Protected Health Information (PHI) in the course of its normal operation. BehalfID is a permission-verification and audit-logging platform — it records decisions about agent actions, not the content of those actions.

Developer responsibilities

If you use BehalfID as part of a system that handles PHI (for example, an AI agent operating in a healthcare workflow), you are responsible for:

• Not passing PHI as metadata. Verification call metadata fields (e.g., vendor, resource, metadata) should not contain PHI. If BEHALFID_LOG_METADATA is enabled, those fields are stored in audit logs for 90 days.
• Ensuring your integration is the enforcement layer. BehalfID issues permission decisions; your application is responsible for the actual action execution and for protecting any PHI involved.
• Your own HIPAA compliance. Your application, database, and any AI provider you use must be independently HIPAA-compliant.

Business Associate Agreement

If your organization requires a Business Associate Agreement (BAA) as part of a HIPAA-covered deployment, contact legal@behalfid.com to request one. We will review the deployment context and execute a BAA where appropriate.

Technical safeguards in place

• All data encrypted in transit (TLS 1.2+) — aligns with HIPAA Technical Safeguards §164.312(e).
• Access controls: API keys, sessions, and role scoping — aligns with §164.312(a).
• Audit logs for all verification decisions — aligns with §164.312(b).
• Automatic log purge (90 days) limits unnecessary PHI retention exposure.

GDPR

Status

BehalfID processes personal data of EU/EEA residents (primarily developer account data and verification logs) and takes the following steps to comply with the General Data Protection Regulation (GDPR):

Lawful basis for processing

• Contract (Art. 6(1)(b)). Account data, API key hashes, agent configurations, and verification logs are processed to fulfill the service contract with developers.
• Legitimate interests (Art. 6(1)(f)). IP addresses for rate limiting and abuse prevention.
• Legal obligation (Art. 6(1)(c)). Billing data retained for statutory accounting periods.

Data subject rights

You can exercise any of the following rights by emailing legal@behalfid.com. We respond within 30 days.

• Right of access (Art. 15) — request a copy of your data.
• Right to rectification (Art. 16) — correct inaccurate data.
• Right to erasure (Art. 17) — delete your account and data.
• Right to restrict processing (Art. 18) — pause processing while a dispute is resolved.
• Right to data portability (Art. 20) — export your account data in a machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interests.

Verification logs can also be deleted immediately from the dashboard logs page.

Data transfers

Data may be processed in the United States by Vercel and MongoDB Atlas. Both processors operate under Standard Contractual Clauses (SCCs) for cross-border transfers. Stripe processes billing data under its own EU data transfer mechanisms.

Data Protection Officer

BehalfID does not currently have a formally appointed DPO (not required for organizations of our size where processing is not a core activity). Data protection enquiries should be directed to legal@behalfid.com.

CCPA / CPRA

Status

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant California residents certain rights over their personal information. BehalfID's practices with respect to these rights:

Your rights under CCPA/CPRA

• Right to know. You have the right to know what personal information we collect, use, disclose, and retain. Our Privacy Policy fully describes these categories and purposes.
• Right to delete. You have the right to request deletion of personal information we hold about you. Email legal@behalfid.com or delete verification logs directly from the dashboard.
• Right to correct. You have the right to request correction of inaccurate personal information.
• Right to opt out of sale or sharing. BehalfID does not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of.
• Right to limit use of sensitive personal information. We do not process sensitive personal information as defined under CPRA beyond what is necessary to provide the service.
• Non-discrimination. We will not discriminate against you for exercising any of these rights.

Submitting a request

To exercise any California privacy right, email legal@behalfid.comwith the subject line “CCPA Request.” We respond within 45 days.

Technical controls summary

The following controls are operational across all compliance frameworks:

• All data in transit encrypted with TLS 1.2+
• API keys stored only as SHA-256 hashes — never in plaintext
• Developer passwords hashed with scrypt
• Session cookies are HTTP-only, SameSite-strict, and expire after 30 days of inactivity
• Webhook payloads signed with HMAC-SHA256; signatures verified before processing
• Verification logs retained for 90 days, webhook delivery records for 30 days
• Rate limiting on all public endpoints to prevent abuse
• Audit trail of every permission decision (agent ID, action, outcome, timestamp)
• IP addresses used only for rate limiting; not persisted or linked to accounts
• No third-party analytics, advertising trackers, or cross-site tracking scripts

For a detailed technical breakdown of the enforcement model, secrets handling, and known limitations, see the Security and Trust page.