TRUST

Built for regulated workloads from day one.

Cryptographic audit chain, GDPR data subject portal, EU AI Act compliance posture, SOC 2 in progress.

SOC 2 TYPE II

Audit underway. Estimated certification: Q4 2026.

GDPR

Full data subject portal. Export + delete on demand.

EU AI ACT

High-risk classification compliance, audit chain meets transparency requirements.

HIPAA

BAA-eligible on Enterprise tier. Sovereign deployments are HIPAA-isolated.

PCI DSS

Payments rail through Stripe (PCI Level 1). We never see card numbers.

ISO 27001

Roadmap: Q2 2027. Sovereign deployments are ISO-isolated.

The audit chain is the moat

Every action on OpenHeab writes a SHA-256 hash chained to the previous. The chain is publicly verifiable at /v1/audit/verify. Tampering with any record breaks the chain at every subsequent record. Regulators love this.

Data residency

Hosted plan: US (Virginia) or EU (Frankfurt). Sovereign plan: customer-chosen region.