Compliance

Twig AI maintains rigorous compliance with industry standards and regulations to protect your data and meet enterprise requirements.

Certifications & Standards

SOC 2 Type II

Status: ✅ Certified (audited annually)

Covers:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

Audit Firm: [Major accounting firm] Report: Available under NDA upon request

Controls:

• Access controls
• Encryption
• Network security
• Incident response
• Change management
• Monitoring and logging

ISO 27001

Status: 🔄 In progress (certification expected Q2 2024)

Information Security Management System covering:

• Risk assessment
• Security policies
• Asset management
• Access control
• Cryptography
• Incident management

GDPR (General Data Protection Regulation)

Status: ✅ Compliant

Requirements Met:

• Lawful basis for processing
• Consent management
• Data subject rights
  • Right to access
  • Right to deletion
  • Right to portability
  • Right to rectification
• Data Protection Impact Assessments (DPIA)
• Data Processing Agreements (DPA)
• Breach notification (< 72 hours)
• Privacy by design and default
• Data Protection Officer appointed

DPA: Available at legal.twig.so/dpa

CCPA (California Consumer Privacy Act)

Status: ✅ Compliant

Rights Provided:

• Right to know what data is collected
• Right to delete personal information
• Right to opt-out of sale (we don't sell data)
• Right to non-discrimination
• Right to correct inaccurate information

Privacy Notice: privacy.twig.so

HIPAA (Health Insurance Portability and Accountability Act)

Status: ✅ Available for Enterprise customers

Requirements:

• Business Associate Agreement (BAA)
• Administrative safeguards
• Physical safeguards
• Technical safeguards
  • Access controls
  • Audit controls
  • Integrity controls
  • Transmission security
• Breach notification
• Minimum necessary standard

BAA Process:

1. Contact sales@twig.so
2. Sign Business Associate Agreement
3. HIPAA-compliant infrastructure provisioned
4. Additional security controls enabled
5. Regular compliance audits

Use Cases:

• Healthcare providers
• Health insurance
• Healthcare clearinghouses
• Business associates handling PHI

PCI DSS (Payment Card Industry Data Security Standard)

Status: Not applicable (we don't handle payment cards)

Payment Processing:

• Handled by Stripe (PCI Level 1 compliant)
• No card data touches our servers
• Secure tokenization

Regional Compliance

European Union

GDPR Coverage:

• Data residency in EU (Frankfurt)
• EU-based support team available
• Standard Contractual Clauses (SCC)
• Transfers outside EU require approval

Representative: EU representative appointed as required

United Kingdom (UK GDPR)

Status: ✅ Compliant

Post-Brexit compliance:

• UK representative appointed
• ICO registration
• UK-specific DPA available

Canada (PIPEDA)

Status: ✅ Compliant

• Consent for collection
• Purpose specification
• Limited collection
• Accuracy
• Safeguards
• Openness
• Individual access
• Challenging compliance

Australia (Privacy Act)

Status: ✅ Compliant

Australian Privacy Principles (APPs) covered.

Industry-Specific Compliance

Financial Services

SOX (Sarbanes-Oxley):

• Audit trails
• Data integrity
• Access controls
• Change management

GLBA (Gramm-Leach-Bliley):

• Information security program
• Safeguard customer data
• Privacy notices

Government

FedRAMP: Status: 🔄 Roadmap (for gov customers)

ITAR: Not certified (contact for defense use cases)

Education

FERPA:

• Student record protection
• Access limitations
• Directory information controls

COPPA:

• Parental consent (users under 13)
• Data minimization
• Secure deletion

Compliance Tools

Data Processing Agreement (DPA)

Download: Available in Settings → Legal

Covers:

• Roles and responsibilities
• Data processing terms
• Security measures
• Sub-processors
• Data subject rights
• Audit rights

Sub-Processors

We use these sub-processors:

Name	Purpose	Location
AWS	Infrastructure	Global
OpenAI	LLM processing	US
Pinecone	Vector database	US
Stripe	Payment processing	Global

List: Updated at legal.twig.so/subprocessors

Security Questionnaires

Need security assessment?

• Standard questionnaire: Auto-filled via Trust Center
• Custom questionnaire: Email to security@twig.so
• Typical turnaround: 3-5 business days

Audit & Reporting

Compliance Reports

Available reports:

• SOC 2 Type II report
• Penetration test results (annual)
• Vulnerability scan results (quarterly)
• Compliance certifications
• Security whitepaper

Access: Contact compliance@twig.so

Regular Audits

Internal:

• Quarterly security reviews
• Monthly access audits
• Weekly vulnerability scans

External:

• Annual SOC 2 audit
• Annual penetration testing
• Quarterly compliance reviews

Audit Logs

All compliance-relevant activities logged:

• Data access
• Configuration changes
• User management
• Permission modifications
• Data exports/deletions
• Security events

Retention: 7 years for compliance purposes

Your Compliance Obligations

As a Customer

When using Twig AI, you should:

✅ Provide Accurate Information

• During registration
• In data processing agreements

✅ Secure Your Account

• Strong passwords
• Enable MFA
• Protect API keys

✅ Manage User Access

• Review permissions regularly
• Remove inactive users
• Follow least privilege

✅ Monitor Usage

• Review audit logs
• Investigate anomalies
• Report security incidents

✅ Understand Data Flows

• Know what data you're uploading
• Classify data appropriately
• Apply proper controls

Data Subject Requests

Handling User Requests

When end-users request data/deletion:

1. Verify Identity: Confirm requestor identity
2. Locate Data: Use search tools
3. Fulfill Request:
   • Access: Export data
   • Deletion: Anonymize or delete
   • Correction: Update records
4. Timeline: 30 days (GDPR), 45 days (CCPA)
5. Document: Log request fulfillment

Tool Support:

Settings → Privacy → Data Subject Requests
→ Search by email
→ Generate report or delete

Automated DSR Processing

# Via API
curl -X POST https://api.twig.so/api/privacy/dsr \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{
    "type": "ACCESS",
    "email": "user@example.com",
    "verificationCode": "abc123"
  }'

Breach Notification

Our Process

If breach occurs:

1. < 1 hour: Detect and contain
2. < 6 hours: Assess scope
3. < 72 hours: Notify affected parties and authorities
4. < 7 days: Publish incident report

What We Notify

• What happened
• What data was affected
• What we've done
• What you should do
• How to contact us

Industry Best Practices

For Healthcare

✅ HIPAA BAA required ✅ Minimum necessary access ✅ Encrypted storage ✅ Audit trails ✅ Access controls ✅ Breach notification procedures

For Finance

✅ SOX controls ✅ GLBA safeguards ✅ Data integrity ✅ Audit trails ✅ Access reviews

For Education

✅ FERPA compliance ✅ COPPA for minors ✅ Student data protection ✅ Parental consent mechanisms

Compliance Checklist

Before deploying Twig AI:

• Review privacy policy
• Sign DPA (if required)
• Configure data residency
• Enable appropriate privacy controls
• Train team on data handling
• Set up audit logging
• Define incident response plan
• Document data flows
• Classify data sensitivity
• Configure retention policies
• Enable MFA for admins
• Review sub-processor list
• Understand LLM provider usage
• Set up breach notification contacts

Next Steps

• Data Privacy - Privacy controls
• Security Best Practices - Harden security
• Authentication - Access control
• SSO Integration - Enterprise authentication

Contact

Compliance Questions: compliance@twig.so DPA Requests: legal@twig.so Security Questions: security@twig.so

---

Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the ask query parameter:

GET /dev/product/security/compliance.md?ask=<question>

The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.