Security, privacy, and
responsible-AI, on record.
Enterprise clients ask us four questions before every engagement: where does the data live, who can touch it, what does the AI do with it, and how do we prove it later. This page is our answer.
Independently audited. Available under NDA.
SOC 2 Type II
Annual audit of security, availability, confidentiality, and processing integrity by a Big-Four accountant. Report available under NDA.
ISO 27001
Information security management system certified against ISO/IEC 27001:2022. Scope covers Headify delivery hubs in Phoenix, London, and Pune.
GDPR & DPDP
GDPR (EU/UK) and DPDP (India) compliant data-processing terms available as standard. Standard Contractual Clauses on request.
HIPAA-aware delivery
For healthcare engagements we operate under a Business Associate Agreement and deploy inside client-controlled HIPAA-covered environments.
Latest audit reports and control mappings are available under NDA. Write to security@headify.com and we'll share within one business day.
Four principles we don't negotiate on.
01
Client data stays in the client tenancy by default.
Model access happens through the client's own OpenAI, Anthropic, or Azure OpenAI account. Retrieval indexes stay in the client's cloud. Nothing about the client's data crosses into Headify unless you explicitly asked us to.
02
Access is scoped, logged, and reviewed.
Every practitioner on an engagement has an IAM role scoped to what the SoW requires. Access is logged, reviewed quarterly, and revoked the day the engagement closes.
03
AI outputs are grounded and cited.
Where we generate content on your data — audit responses, policies, knowledge answers — the output carries a citation into the source passage. Uncited claims are a system-level refusal, not a policy request.
04
Sub-processors are named and gated.
Every sub-processor we use appears on a list you can review before signing an SoW. Adding a sub-processor mid-engagement requires explicit client notice, not a footnote in the DPA.
What AI-first means from the compliance side of the desk.
- We do not train models on client data. Neither do the model providers we route through — we contract for zero-retention and no-training terms on every route.
- Where clients ask, we ship on-premise or air-gapped model deployments (Azure OpenAI in a client tenant, self-hosted Llama or Mistral in a client cluster).
- Every generation surface we ship carries a way for the reviewer to see what the model was grounded on. Uncited outputs are treated as a defect, not an inconvenience.
- We run continuous evaluation on shipped generation surfaces and share the results with client AI-platform owners on a scheduled cadence.
- We flag when a use case is a bad fit for AI. The point of an AI-first firm is not to sell AI where it doesn't belong.
Report a vulnerability.
If you believe you've found a security issue in headify.in or in a Headify-delivered system, write to security@headify.com with a clear description and reproduction steps.
We commit to acknowledging your report within one business day and giving you a substantive read within seven. We do not take legal action against good-faith researchers who comply with this policy.
Bring your vendor security questionnaire.
Book a call and we'll walk your security team through our controls, sub-processor list, and DPA the same day. NDA in five minutes.
or email contact@headify.com
