Compliance & Security

BizOS is committed to maintaining the highest standards of security, privacy, and regulatory compliance. We undergo regular third-party audits and certifications to ensure our AI agent platform meets the rigorous requirements of enterprise customers across industries.

This page outlines the compliance frameworks, security standards, and industry-specific regulations we adhere to.

2.1 Trust Service Criteria

BizOS has achieved compliance with all five SOC 2 Trust Service Criteria:

• Security: Protection against unauthorized access (physical and logical). Includes firewalls, intrusion detection, access controls, and MFA.
• Availability: System uptime and operational performance. We maintain 99.9% uptime SLA with redundant infrastructure and automated failover.
• Processing Integrity: Data is processed completely, accurately, and timely. AI agent responses are logged, auditable, and subject to HITL review.
• Confidentiality: Information designated as confidential is protected per commitments. Customer data is encrypted at rest (AES-256) and in transit (TLS 1.3).
• Privacy: Personal information is collected, used, retained, and disclosed in conformity with our Privacy Policy and applicable law (GDPR, CCPA).

2.2 Requesting SOC 2 Reports

Premium and Enterprise customers can request a copy of our SOC 2 Type II report:

• Email [email protected] with "SOC 2 Report Request" in the subject line
• Provide proof of active BizOS subscription (Premium or Enterprise plan)
• Sign a Non-Disclosure Agreement (NDA) to receive the report
• Reports are delivered via secure link within 3 business days

3.1 Key GDPR Measures

• Data Processing Agreement (DPA): Standard Contractual Clauses (SCCs) for international transfers
• Data Protection Officer (DPO): Appointed and contactable at [email protected]
• Data Subject Rights: Self-service tools for access, rectification, erasure, and portability
• Breach Notification: 72-hour notification to supervisory authorities for qualifying breaches
• Records of Processing Activities (RoPA): Maintained per Article 30

3.2 Other Privacy Regulations

4.1 ISO 27001 (Planned - Q3 2026)

BizOS is pursuing ISO/IEC 27001:2022 certification for Information Security Management Systems (ISMS). Expected audit completion: Q3 2026.

4.2 OWASP Top 10

Our development practices address all OWASP Top 10 vulnerabilities:

• Broken Access Control → RBAC with least-privilege principles
• Cryptographic Failures → AES-256 encryption, TLS 1.3, secure key management
• Injection → Parameterized queries, input validation, sanitization
• Insecure Design → Threat modeling, security design reviews
• Security Misconfiguration → Automated config scanning, hardened defaults
• Vulnerable Components → Dependency scanning (Snyk), regular patching
• Authentication Failures → MFA enforcement, password policies, session management
• Software and Data Integrity Failures → Code signing, integrity checks
• Logging & Monitoring Failures → Centralized logging (Splunk), real-time alerts
• SSRF → Request validation, allowlist-based URL filtering

4.3 Penetration Testing

BizOS undergoes regular security assessments:

• External Pentests: Quarterly by third-party firms (latest: March 2026)
• Internal Pentests: Bi-annual red team exercises
• Bug Bounty Program: HackerOne-managed program for responsible disclosure
• Findings Remediation: Critical issues patched within 24 hours; High within 7 days

4.4 Vulnerability Management

5.1 HIPAA (Healthcare - Enterprise Add-On)

For healthcare customers processing Protected Health Information (PHI):

Note: Standard and Premium plans are NOT HIPAA-compliant. Do not process PHI without a signed BAA.

5.2 PCI DSS (Payment Card Industry)

BizOS does NOT directly process, store, or transmit credit card data. All payment processing is handled by PCI DSS Level 1 certified providers:

• Stripe: PCI DSS Level 1 Service Provider (for customer billing)
• Payment Agents: Mark (Billing & Payments Agent) uses tokenized payment methods via Stripe API — no raw card data touches BizOS servers

BizOS customers using Mark for payment collection benefit from Stripe's PCI compliance. No additional PCI certification required for customers.

5.3 FERPA (Education - Planned)

For educational institutions subject to the Family Educational Rights and Privacy Act:

• Status: FERPA compliance framework in development (ETA: Q2 2027)
• Use Case: Universities using BizOS agents for student admissions, advising, or support
• Waitlist: Email [email protected] to join FERPA compliance pilot

5.4 FINRA / SEC (Financial Services - Enterprise)

For financial services firms with regulatory recordkeeping requirements:

6.1 Cloud Infrastructure

6.2 Data Encryption

• At Rest: AES-256 encryption for all databases, file storage, and backups
• In Transit: TLS 1.3 for all API and web traffic (TLS 1.2 minimum)
• Key Management: AWS KMS and GCP Cloud KMS with customer-managed keys (Enterprise)
• Database Encryption: Transparent Data Encryption (TDE) enabled on all RDS and Cloud SQL instances

6.3 Network Security

• Firewalls: AWS Security Groups and Network ACLs with default-deny rules
• DDoS Protection: AWS Shield Standard (all customers) + AWS Shield Advanced (Enterprise)
• WAF: AWS WAF with OWASP ModSecurity Core Rule Set
• VPC Isolation: Customer data isolated in dedicated Virtual Private Clouds

6.4 Access Controls

• Employee Access: Role-Based Access Control (RBAC), least-privilege principles
• Multi-Factor Authentication: Mandatory for all employees (Yubikey hardware tokens)
• Production Access: Just-In-Time (JIT) access via bastion hosts, logged and audited
• Customer Access: SSO available (SAML 2.0, OIDC) for Enterprise customers

6.5 Monitoring & Incident Response

7.1 Responsible AI Principles

BizOS is committed to ethical AI development and deployment:

• Transparency: Customers are informed when interacting with AI agents (disclosure requirements)
• Human Oversight: HITL (Human-in-the-Loop) controls for sensitive decisions
• Bias Mitigation: Regular audits of training data and model outputs for fairness
• Explainability: AI decisions can be explained and reviewed by human supervisors
• Accountability: Clear escalation paths for AI errors or unintended behavior

7.2 Training Data Governance

• Opt-In Model Training: Customer conversations are NOT used for model improvement without explicit consent
• Data Minimization: Only necessary data is used for training; PII is anonymized or excluded
• Third-Party Models: We use Anthropic's Claude models, which respect data separation (customer data does NOT train base models)

7.3 AI Limitations & Risks

BizOS agents are powered by Large Language Models (LLMs) with known limitations:

8.1 Uptime SLA

8.2 Redundancy & Failover

• Multi-AZ Deployment: Infrastructure spans multiple AWS Availability Zones
• Automated Failover: Database failover in under 2 minutes via AWS RDS Multi-AZ
• Load Balancing: Elastic Load Balancers distribute traffic across healthy instances
• Geographic Redundancy: Enterprise customers can opt for multi-region deployment

8.3 Backup & Recovery

• Database Backups: Automated daily backups with 30-day retention; point-in-time recovery available
• File Storage Backups: Cross-region replication for customer uploads and conversation logs
• Recovery Time Objective (RTO): <4 hours for full service restoration
• Recovery Point Objective (RPO): <15 minutes of data loss (via continuous database replication)

8.4 Disaster Recovery Testing

BizOS conducts disaster recovery drills twice annually to validate our BC/DR plan. Last test: February 2026 (successful failover to DR region in 3.2 hours).

All sub-processors and vendors undergo security due diligence before onboarding:

9.1 Vendor Assessment Process

• Security Questionnaires: All vendors complete standardized security assessments
• Compliance Verification: SOC 2 reports and certifications reviewed annually
• Data Processing Agreements: All vendors sign DPAs with equivalent security obligations
• Continuous Monitoring: Vendor security posture tracked via SecurityScorecard

9.2 Current Sub-processors

See our Data Processing Agreement for the complete and up-to-date list of sub-processors, including:

• Amazon Web Services (AWS) – Infrastructure
• Google Cloud Platform (GCP) – AI/ML
• Anthropic – Large Language Models
• Twilio – SMS and WhatsApp
• SendGrid – Email delivery
• Stripe – Payment processing

Customers are notified 30 days in advance of new sub-processor onboarding and may object per DPA terms.

10.1 Customer Audit Rights

Premium and Enterprise customers have the right to audit BizOS's compliance with security and privacy commitments:

• Document Review: Request policies, procedures, and audit reports (via NDA)
• Questionnaires: We complete security questionnaires within 15 business days
• Third-Party Audits: Enterprise customers may conduct on-site audits once per year (30 days' notice, at customer's expense)

Audits must be conducted by qualified third-party auditors and cannot disrupt business operations or compromise other customers' data.

10.2 Compliance Documentation

Available upon request (contact [email protected]):

• SOC 2 Type II Report (requires NDA, Premium/Enterprise only)
• Standard Contractual Clauses (SCCs) for international data transfers
• Data Processing Agreement (DPA) template
• Business Associate Agreement (BAA) for HIPAA (Enterprise only)
• Security white papers and architecture diagrams (Enterprise only)

10.3 Regulatory Examinations

BizOS cooperates with regulatory examinations and audits from:

• EU/EEA Data Protection Authorities (DPAs)
• UK Information Commissioner's Office (ICO)
• California Attorney General (CCPA enforcement)
• Industry-specific regulators (FINRA, SEC, state insurance departments, etc.)

Customers will be notified if a regulatory examination affects their data, subject to confidentiality restrictions.

BizOS maintains a culture of continuous security and compliance improvement:

• Annual Reviews: All policies and procedures reviewed and updated yearly
• Security Training: Mandatory annual training for all employees on GDPR, security, and incident response
• Threat Intelligence: Subscription to threat feeds and vulnerability databases
• Industry Engagement: Active participation in security conferences and working groups
• Customer Feedback: Security and compliance roadmap informed by customer requirements

Upcoming Certifications:

• ISO 27001 (Q3 2026)
• ISO 27701 Privacy Information Management (Q1 2027)
• FERPA Compliance Framework (Q2 2027)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between BizOS, Inc. ("BizOS," "Processor") and Customer ("Controller") and governs the processing of Personal Data in connection with the BizOS Services.

12.1 Definitions

12.2 Data Processing Terms

• Processing Purpose: BizOS processes Personal Data solely to provide the Services as instructed by Customer
• Data Types: Contact information, conversation history, appointment data, payment information (tokenized)
• Data Subjects: Customer's leads, clients, employees, and end users
• Processing Location: AWS US-East-1 (primary); EU-Central-1 available for EU customers
• Retention: Data retained for duration of subscription + 30 days; customer can request deletion anytime

12.3 Standard Contractual Clauses (SCCs)

For international data transfers from EU/EEA to the United States, BizOS relies on the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor).

12.4 Sub-processors

BizOS engages the following sub-processors. Customers are notified 30 days in advance of changes:

• AWS (US) - Infrastructure hosting
• GCP (US) - AI/ML processing
• Anthropic (US) - Large Language Models
• Twilio (US) - SMS/WhatsApp delivery
• SendGrid (US) - Email delivery
• Stripe (US) - Payment processing

All sub-processors have executed DPAs with BizOS and maintain SOC 2 or equivalent certifications.

12.5 Data Subject Rights

BizOS provides tools for customers to fulfill data subject requests:

• Right of Access: Export all data via dashboard or API
• Right to Rectification: Edit records directly in BizOS interface
• Right to Erasure: Delete contacts and conversation history with one click
• Right to Data Portability: Export in JSON or CSV format
• Right to Object: Opt-out mechanisms for marketing communications

For assistance with data subject requests, contact [email protected]

12.6 Security Breach Notification

BizOS will notify Customer without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach affecting Customer Data. Notification will include:

• Nature of the breach and data categories affected
• Likely consequences and mitigation measures taken
• Contact point for further information

BizOS uses cookies and similar tracking technologies on our website (trybizos.com) and within the BizOS platform to enhance your experience, analyze usage, and improve our AI agent services.

13.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help websites remember information about your visit, such as your preferences, login status, and browsing behavior.

13.2 Types of Cookies We Use

13.3 Third-Party Cookies

We use the following third-party services that may set cookies:

• Google Analytics: Website usage statistics (anonymized IP)
• Google Ads: Remarketing and conversion tracking
• LinkedIn Insight Tag: B2B audience analytics
• Intercom: Customer support chat widget

13.4 Managing Cookie Preferences

You can control cookies through:

• Cookie Banner: Manage preferences via the banner on your first visit
• Browser Settings: Block or delete cookies in your browser preferences
• Opt-Out Tools: Use browser extensions like Privacy Badger or uBlock Origin
• Do Not Track: We honor DNT browser signals for non-essential cookies

Note: Disabling essential cookies may prevent you from using certain features of the website.

13.5 Cookie Retention

13.6 Updates to Cookie Policy

We may update this Cookie Policy to reflect changes in technology or legal requirements. Changes are effective immediately upon posting. Continued use of the website constitutes acceptance.

Last updated: April 15, 2026