How we earn your trust.
Felarity processes some of the most sensitive conversations an organization has. This is the controls, the paperwork, and the cryptographic proof behind that responsibility.
Controls at a glance
Three layers do the work: what your data is wrapped in, who can reach it, and what we can prove after the fact. Each one is enforced by code, not policy.
Wrapped end to end
At rest: Fernet AES-128-CBC with HMAC-SHA256 authentication on every transcript, contradiction record, and audio chunk. Keys are workspace-scoped and rotated on a documented schedule.
In transit: TLS 1.3 only. HSTS preload. No mixed content. Internal service-to-service traffic is mutually authenticated.
Least privilege by default
Multi-factor authentication is required for every account. Single sign-on (Google Workspace, Microsoft Entra, Okta SAML) is available on Professional and Enterprise tiers.
Role-based workspace permissions separate viewers, analysts, and admins. Sessions expire. Tokens are revocable from the admin console.
Cryptographic, not aspirational
Every meeting closes with an 8-node SHA-256 Merkle attestation chain, signed with our Ed25519 organizational key. The result is a write-once, hash-linked ledger of what the system saw and what it concluded.
Any third party can verify a report against our published public key. We cannot rewrite history without it being mathematically obvious.
Compliance status — what's done, what's in progress, what isn't
We publish where we are, not where we want to be. Every row below states what's actually shipped, what's in flight with a specific deadline, and what is honestly aspirational. Procurement and security review teams reward this. We've found pretending hurts us at exactly the moment the relationship is most fragile.
| Framework | Status | What's true today |
|---|---|---|
| Cryptographic attestation | Live in production | Every Felarity session emits an Ed25519-signed 8-node SHA-256 Merkle chain. Public key is published at /.well-known/felarity-signing-key.pem. Server-side verifier at POST /api/verify. Browser-side verifier at /trust/attestation/verify/. Anyone with the chain JSON and the public key can verify offline without contacting us. |
| SOC 2 Type I | Prep in progress · target Q4 2026 | Controls inventory drafted internally. Have not yet engaged a controls-monitoring partner (Vanta / Drata / Secureframe) or a vCISO. Realistic Type I report timeline: 4-6 months from kickoff. We will not claim SOC 2 status before an auditor signs. |
| SOC 2 Type II | Roadmap · target Q2 2027 | Follows Type I plus a 6-month observation window. Not currently underway. |
| HIPAA | BAA drafted · not yet executed with any customer | Business Associate Agreement template is drafted. No customer has executed it yet. The technical controls a BAA requires — encryption at rest and in transit, audit logging, breach notification process, minimum-necessary — are implemented; the legal and operational program (workforce training records, business continuity tests, annual risk analysis) is partially complete. If you need a counter-signed BAA before processing PHI, write us and we will be straight about what we can sign before going live with you. |
| GDPR | Data processor · DPA template ready | We act as a data processor on behalf of customer-controllers. DPA template (including Standard Contractual Clauses for international transfers) is drafted at /trust/dpa/. No EU data hosting region today — all production data is in US-East. EU-resident customer data hosting is on the roadmap, not yet built. |
| CCPA / CPRA | Process documented · self-service in flight | We honor verified deletion and access requests via email to [email protected] within statutory windows. Self-service deletion from the admin console is built but has not been exercised by a real CCPA request yet. |
| ISO 27001 | Roadmap · post SOC 2 Type II | Not started. We will pursue this after SOC 2 Type II if customer demand justifies the additional cost. |
| Penetration testing | Not yet scheduled | No third-party penetration test has been conducted on the current production stack. We plan to schedule one before the SOC 2 Type II observation window closes. Internal threat modeling has been performed against the meeting-intake pipeline, the attestation chain, and the auth flows; notes available under NDA. |
| SAML SSO | Implemented | Per-workspace SAML 2.0 implementation via the OneLogin python3-saml toolkit. JIT user provisioning. Standard email + name attribute mapping. Single-logout supported. Configuration is a write-by-us-on-your-behalf operation today; self-service IdP onboarding UI is on the roadmap. |
| SCIM 2.0 provisioning | Implemented | Per-workspace bearer-token-scoped SCIM 2.0 endpoints for Users and Groups (GET/POST/PUT/PATCH/DELETE), plus ServiceProviderConfig and Schemas. Tested against Okta and Azure AD push patterns. |
| Status page | Domain reserved · not yet active | status.felarity.com is reserved on Cloudflare; the external probe set (BetterStack / Statuspage) hasn't been wired up yet. Until it is, contact [email protected] for outage updates. |
The attestation chain
Every Felarity report is accompanied by an eight-node Merkle tree whose leaves are SHA-256 hashes of the source artifacts: the audio segments, the diarization output, the transcript, the contradiction set, the NLI re-scoring, the topology analysis, the council synthesis, and the speaker attribution. The root of that tree is signed with our Ed25519 organizational key.
The practical consequence: a report is verifiable by any third party with our published public key. A regulator, an opposing counsel, or your own internal audit team can confirm that what they are looking at is exactly what the pipeline produced, untouched, on the date claimed.
Subprocessors
We use a small, deliberate set of subprocessors for hosting, payments, and email. The full list — with purpose, location, and DPA links — is maintained on a dedicated page and is updated when the list changes. We give 30 days' notice before adding a new subprocessor that handles customer content.
Get the paperwork
Procurement, legal, and security review teams can pull the documents they need without a sales call.
Data Processing Addendum
Our DPA, including Standard Contractual Clauses for international transfers. Counter-signed copies returned within two business days.
Request DPABusiness Associate Agreement
HIPAA BAA for Professional and Enterprise customers processing PHI. Includes breach notification and minimum-necessary commitments.
Request BAASecurity overview
Architecture diagrams, control mappings, encryption details, and the current SOC 2 controls matrix under NDA.
Security detailsReport a vulnerability
We run a coordinated disclosure program for security researchers. Reports are acknowledged within two business days, triaged within five, and credited in our hall of fame when the reporter consents. We do not pursue legal action against researchers who follow the program in good faith.
Status
Status page is reserved at status.felarity.com but the external probe set is not yet wired up. Until it is, real-time outage notification routes through [email protected]. We post initial acknowledgement of any user-facing incident within 15 minutes of detection.