Compliance

SOC 2 Type II Readiness

Shabe AI is built on SOC 2 Type II certified infrastructure and follows SOC 2 principles in our operations:

Trust Service Principles

• Security: Multi-layered security controls including encryption, access controls, monitoring, and incident response
• Availability: 99.9% uptime SLA, redundant infrastructure, automated failover, and disaster recovery procedures
• Processing Integrity: Data validation, error handling, and monitoring to ensure accurate data processing
• Confidentiality: Encryption, access controls, and confidentiality agreements to protect sensitive information
• Privacy: Privacy controls aligned with GDPR, CCPA, and other privacy regulations

Infrastructure Partners (SOC 2 Certified)

• • Vercel: SOC 2 Type II certified hosting
• • Convex: SOC 2 Type II certified database
• • Clerk: SOC 2 certified authentication
• • OpenAI: SOC 2 Type II certified AI processing

Shabe AI is currently in the process of obtaining SOC 2 Type II certification. Expected completion: Q2 2026. Contact us for our SOC 2 readiness report.

GDPR Compliance (EU)

Shabe AI is fully compliant with the General Data Protection Regulation (GDPR) for customers in the European Union:

Lawful Basis for Processing

• Contract Performance: Processing necessary to provide the Service you've subscribed to
• Legitimate Interests: Service improvement, security, and fraud prevention
• Consent: Marketing communications and optional features (revocable at any time)

Data Subject Rights

We support all GDPR data subject rights:

• • Right to Access: Request a copy of your personal data
• • Right to Rectification: Correct inaccurate data
• • Right to Erasure: Request deletion of your data ("right to be forgotten")
• • Right to Restrict Processing: Limit how we use your data
• • Right to Data Portability: Receive data in machine-readable format
• • Right to Object: Object to processing based on legitimate interests
• • Right to Withdraw Consent: Withdraw consent at any time

International Data Transfers

• Standard Contractual Clauses (SCCs): Approved by the European Commission for data transfers
• Data Processing Agreement (DPA): Available to all EU customers
• Privacy Shield Alternative: Appropriate safeguards for US-EU data transfers

Data Protection Officer

For GDPR inquiries, contact our Data Protection Officer at dpo@shabe.ai

CCPA Compliance (California)

Shabe AI complies with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Consumer Rights

• Right to Know: What personal information we collect, use, disclose, and sell
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt-out of the sale of personal information (we do not sell your data)
• Right to Non-Discrimination: No discrimination for exercising your privacy rights
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit: Limit use and disclosure of sensitive personal information

HIPAA Readiness

While Shabe AI is not currently HIPAA certified, our infrastructure and security controls are designed to support HIPAA requirements for healthcare customers:

HIPAA-Ready Infrastructure

• Encryption: End-to-end encryption of PHI (Protected Health Information)
• Access Controls: Role-based access and audit logging
• Business Associate Agreement (BAA): Available for Enterprise customers
• Breach Notification: Procedures in place for HIPAA breach notification requirements

HIPAA certification expected: Q3 2026. Contact compliance@shabe.ai for our HIPAA readiness assessment.

ISO 27001 Readiness

Shabe AI follows ISO 27001 best practices for Information Security Management:

• ISMS Framework: Comprehensive Information Security Management System
• Risk Assessment: Regular security risk assessments and mitigation
• Security Controls: Comprehensive security controls covering all ISO 27001 domains
• Continuous Improvement: Regular audits and continuous security improvements

ISO 27001 certification planned for Q4 2026.