SecureAI is designed to operate within regulated environments common in the automotive aftermarket industry. This article explains which compliance frameworks SecureAI supports, what controls are in place for each, and how your organization can verify compliance posture.
Overview
Organizations using SecureAI may be subject to data protection regulations depending on where they operate, what data they handle, and which industries they serve. SecureAI supports compliance with the following frameworks:
| Framework | Scope | SecureAI Coverage |
|---|---|---|
| SOC 2 Type II | Security, availability, and confidentiality controls | Infrastructure-level controls via GCP; application-level controls documented in audit reports |
| GDPR | Personal data protection for EU/EEA residents | Data processing agreements, data subject rights, data residency options |
| HIPAA | Protected health information (PHI) for US healthcare-adjacent organizations | Business Associate Agreements, encryption controls, access audit logging |
Note: SecureAI is a support tool for the automotive aftermarket industry. HIPAA applicability depends on whether your organization handles protected health information through the platform (e.g., employee benefits data, insurance claim information).
SOC 2 Type II
What SOC 2 Covers
SOC 2 (Service Organization Control 2) evaluates an organization's controls related to security, availability, processing integrity, confidentiality, and privacy. A Type II report covers a specific audit period (typically 6-12 months) and validates that controls were operating effectively throughout that period.
SecureAI's SOC 2 Posture
SecureAI's infrastructure runs on Google Cloud Platform, which maintains its own SOC 2 Type II certification. SecureAI layers additional application-level controls on top of GCP's infrastructure:
| Control Area | Implementation |
|---|---|
| Access control | Role-based access control (RBAC), SSO integration (SAML/OIDC), multi-factor authentication support |
| Encryption | AES-256 at rest (with optional CMEK), TLS 1.2+ in transit, mTLS for internal service communication |
| Audit logging | All administrative actions logged with timestamps, user identity, and action details |
| Incident response | Defined incident response procedures, automated alerting, documented escalation paths |
| Change management | Version-controlled infrastructure, deployment approval processes, rollback capabilities |
Requesting the Audit Report
To obtain SecureAI's current SOC 2 Type II audit report:
- Contact your account representative.
- Sign the required non-disclosure agreement (NDA). SOC 2 reports contain sensitive control details and are shared under NDA.
- The report will be delivered securely, typically within 5 business days.
The report covers the most recent audit period. If your compliance team requires a bridge letter for gaps between audit periods, request this at the same time.
Mapping SOC 2 to Your Audit
If your organization is undergoing its own SOC 2 audit and uses SecureAI as a subservice:
- Reference SecureAI's SOC 2 report in your Complementary Subservice Organization Controls (CSOCs) section.
- Your auditor may issue a Complementary User Entity Controls (CUECs) list — these are controls your organization is responsible for (e.g., managing user access, configuring retention policies).
- Common CUECs for SecureAI include: provisioning and deprovisioning users promptly, enforcing MFA through your SSO provider, and reviewing audit logs regularly.
GDPR
Applicability
The General Data Protection Regulation applies if your organization:
- Is established in the EU/EEA, or
- Processes personal data of individuals located in the EU/EEA, regardless of where your organization is based.
In the automotive aftermarket context, this commonly applies when customer interaction data (names, vehicle identification numbers, service history) is processed through SecureAI.
Data Processing Agreement (DPA)
GDPR Article 28 requires a Data Processing Agreement between data controllers (your organization) and data processors (SecureAI). SecureAI's DPA covers:
| DPA Element | Details |
|---|---|
| Processing purposes | Providing AI-assisted support functionality as directed by your organization |
| Data categories | Conversation content, uploaded documents, user account information, usage metadata |
| Sub-processors | AI model providers, GCP infrastructure services — full list available in the DPA |
| Data transfers | Mechanisms for international transfers (Standard Contractual Clauses where applicable) |
| Security measures | Technical and organizational measures described in the DPA annex |
To request a DPA:
- Contact your account representative.
- Provide your organization's legal entity name and DPO contact (if applicable).
- SecureAI will provide the standard DPA for review and countersignature.
Data Subject Rights
GDPR grants individuals specific rights over their personal data. SecureAI supports these through the following mechanisms:
| Right | How SecureAI Supports It |
|---|---|
| Right of access (Art. 15) | Administrators can export a user's conversation history and account data via the admin panel or API |
| Right to rectification (Art. 16) | Administrators can update user profile information; conversation content cannot be edited after creation |
| Right to erasure (Art. 17) | Administrators can delete individual users' conversations, uploaded documents, and account data |
| Right to data portability (Art. 20) | Data export is available in JSON format through the admin panel or API |
| Right to restriction (Art. 18) | User accounts can be deactivated, which halts processing while preserving data for audit |
Important: Your organization, as the data controller, is responsible for responding to data subject requests. SecureAI provides the tools; your administrators execute the requests according to your internal procedures.
Data Residency
By default, SecureAI stores data in GCP's us-central1 region (United States). For organizations with EU data residency requirements:
- EU hosting is available in the europe-west1 (Belgium) region. Discuss this option during onboarding or with your account representative.
- Data residency applies to all stored data: conversations, uploaded documents, user accounts, and audit logs.
- AI model provider interactions may involve data transfer to the model provider's infrastructure. The DPA documents these transfers and the safeguards in place.
HIPAA
Applicability
The Health Insurance Portability and Accountability Act applies to covered entities and their business associates that handle protected health information (PHI). In the automotive aftermarket, HIPAA may apply if your organization:
- Processes employee benefits or insurance information through SecureAI.
- Handles insurance claim data related to vehicle repairs or accidents.
- Operates in a capacity that intersects with healthcare services.
Note: Most automotive aftermarket organizations do not handle PHI through SecureAI. If you are unsure whether HIPAA applies to your use case, consult your compliance or legal team before configuring HIPAA-specific controls.
Business Associate Agreement (BAA)
If HIPAA applies to your organization's use of SecureAI, a Business Associate Agreement is required. The BAA establishes:
- SecureAI's obligations for safeguarding PHI.
- Permitted uses and disclosures of PHI.
- Breach notification procedures and timelines.
- Requirements for returning or destroying PHI at contract termination.
To request a BAA:
- Contact your account representative.
- Confirm that your use case involves PHI.
- SecureAI will provide the standard BAA for review and execution.
HIPAA Technical Safeguards
When a BAA is in place, SecureAI provides the following technical safeguards:
| Safeguard | Implementation |
|---|---|
| Access controls | Unique user identification, role-based access, automatic session timeout |
| Audit controls | Comprehensive audit logging of all access to and actions on data |
| Integrity controls | Encryption at rest and in transit, checksums on stored documents |
| Transmission security | TLS 1.2+ for all data transmission, mTLS for internal communication |
| Encryption | AES-256 at rest with CMEK support, ensuring PHI is encrypted at all times |
Administrative Responsibilities
Under HIPAA, your organization retains responsibility for:
- Ensuring only authorized personnel access PHI through SecureAI.
- Training users on handling PHI within the platform.
- Configuring data retention policies that meet minimum HIPAA retention requirements (typically 6 years for administrative records).
- Reporting suspected breaches according to your organization's incident response plan.
Audit Readiness
Preparing for a Compliance Audit
To prepare your organization for an audit involving SecureAI:
Gather documentation:
- SecureAI's SOC 2 Type II report (request from your account representative).
- Your executed DPA and/or BAA.
- Your organization's configured security settings (export from admin panel).
Review access controls:
- Verify that user roles match actual responsibilities (no over-provisioned accounts).
- Confirm that deactivated users have been removed promptly.
- Review API token inventory and revoke unused tokens.
Review audit logs:
- Export audit logs covering the audit period.
- Verify that logging is enabled for all required event types.
- Confirm that audit log retention meets your compliance framework's requirements.
Verify data retention settings:
- Confirm that retention policies for conversations, documents, and audit logs align with regulatory minimums.
- Document any per-user or per-group retention overrides.
Document data flows:
- Map how data enters SecureAI (user input, document uploads, API integrations).
- Map how data exits SecureAI (exports, model provider interactions, audit log exports).
- Identify all sub-processors and their roles.
Evidence Artifacts Available from SecureAI
| Artifact | How to Obtain |
|---|---|
| SOC 2 Type II report | Request from account representative (NDA required) |
| Data Processing Agreement | Request from account representative |
| Business Associate Agreement | Request from account representative (HIPAA only) |
| Sub-processor list | Included in DPA; updated list available on request |
| Audit log exports | Admin Panel > Audit Logs > Export |
| Security configuration summary | Admin Panel > Settings > Export Configuration |
| Data retention policy summary | Admin Panel > Settings > Data & Privacy |
| Penetration test summary | Request from account representative (NDA required) |
Data Residency Options
SecureAI supports data residency in the following regions:
| Region | GCP Location | Availability |
|---|---|---|
| United States | us-central1 (Iowa) | Default for all organizations |
| European Union | europe-west1 (Belgium) | Available on request during onboarding |
| Additional regions | Contact account representative | Available for enterprise agreements |
Data residency applies to all stored data. To change your data residency region after initial deployment, contact your account representative — migration requires a planned maintenance window and may involve temporary service interruption.
Frequently Asked Questions
Is SecureAI SOC 2 certified?
SecureAI's hosting infrastructure (GCP) maintains SOC 2 Type II certification. SecureAI maintains its own application-level controls and provides a SOC 2 Type II audit report covering these controls. Contact your account representative to request the report.
Does SecureAI sign DPAs for GDPR?
Yes. SecureAI provides a standard Data Processing Agreement. Contact your account representative to request one.
Does SecureAI sign BAAs for HIPAA?
Yes, for organizations whose use case involves protected health information. Contact your account representative to confirm applicability and request a BAA.
Can I store data exclusively in the EU?
Yes. EU data residency is available in the europe-west1 (Belgium) region. This must be configured during onboarding or through a migration arranged with your account representative.
How do I prove SecureAI's compliance to my auditor?
Request the SOC 2 Type II report and your executed DPA/BAA. These documents, combined with your organization's configured security settings (exportable from the admin panel), provide the evidence most auditors require.
What compliance frameworks are on SecureAI's roadmap?
SecureAI continuously evaluates additional certifications based on customer demand. Current considerations include ISO 27001 and SOC 2 + HITRUST. Contact your account representative for the latest roadmap.
Related Articles
- How SecureAI Handles Your Data
- Configuring Data Retention Policies
- Setting Up IP Allowlisting for Enterprise Access
- How to Configure SAML SSO
- How to Configure OIDC SSO
Questions
For compliance-specific questions, to request audit reports, DPAs, or BAAs, or to discuss data residency options, contact your account representative.