Every datapoint carries who made it, who reviewed it, and under what rights. Contributor identities are verified and never pooled in one place. Bring the work, and the proof comes with it. That is the promise: bring the work, keep the proof, own the model.
Security, availability, and confidentiality controls mapped. Report and audit-window references require current verified evidence.
Administrative, technical, and physical safeguards scoped where the workflow touches PHI.
Processor-obligation posture, regional scope, and data-subject rights workflows are scoped during review.
The EU AI Act enforces training-data provenance in August 2026, and most teams still cannot validate or trace where their data came from. We can. Each card below jumps to the control map your reviewers will read, ISO 27001 included.
Trust Services Criteria mapped across security, availability, and confidentiality. Report and audit-window statements are included only when current evidence is verified in the review packet.
Administrative, technical, and physical safeguards mapped for in-scope protected health workflows. BAA scope is handled during procurement before PHI enters a workflow.
Processor-obligation posture, lawful-basis review, and data-subject rights workflow. Regional hosting and transfer terms are scoped by program.
When a competitor lost four terabytes — including who its workers were — pooled data and consumer-grade onboarding were the cause. We do the opposite. The control framework is not a marketing surface. These are the controls a security team actually checks.
Contributors are identity-verified, not onboarded like consumers. Their PII is separated by design and never pooled in one place — the opposite of the architecture that leaked four terabytes when a competitor was breached.
Encryption in transit and at rest. Key rotation, scope, and customer-managed keys are reviewed per deployment.
Least-privilege access for operators, reviewers, and administrators. Role-based permissions follow workflow ownership and release approvals. Enterprise identity available.
Security and workflow events live in one audit trail. Escalations, approvals, and review actions are captured as evidence another reviewer can inspect.
Documented procedures cover triage, scope, customer notification, and post-incident review. Responsible disclosure routes through the security contact in the review packet.
Retention and deletion are scoped at onboarding, with clear handling for uploaded data, evidence exports, and reviewer access.
The deep links from the compliance badges (#soc2, #hipaa, #gdpr) land on the sections below. Each entry states scope and obligations. ISO 27001 is not yet claimed; control mapping can be reviewed for ISO-driven markets on request.
SOC 2 controls cover how AuraOne runs the platform — who has access, how changes ship, and how incidents are handled. We do not assert formal attestation here. Report and audit-window references are shared only when current evidence is verified in the review packet.
AuraOne supports HIPAA-aligned deployments where the work includes protected health information. Safeguards are mapped to the HIPAA Security Rule and reviewed at onboarding.
The EU AI Act enforces high-risk training-data provenance in August 2026. Most teams cannot answer it — 78% cannot validate their training data and 77% cannot trace where it came from. AuraOne attaches the rights to the data itself, so a signed chain of consent survives an employment-classification challenge and the audit.
The packet can include current controls maps, security review materials, subprocessor scope, DPA workflow, and BAA scope where applicable. For procurement, trust review, or responsible disclosure, reach the security contact through one channel. Bring the work. Keep the proof. Own the model.