Trust report
Everything a security team needs to finish their review without picking up the phone. If something's missing, email security@yourdomain.tld and we'll add it.
Last updated March 2026
Certifications
| Certification | Status | Issued | Auditor |
|---|---|---|---|
| SOC 2 Type II | Active | Mar 2026 | REPLACE_ME (audit firm) |
| GDPR | Compliant | - | REPLACE_ME (counsel) |
| HIPAA (BAA available) | Available | - | - |
| ISO 27001 | In audit | Expected Q3 2026 | REPLACE_ME (audit firm) |
Sub-processors
The list below is current as of the "Last updated" date at the top of this page. New sub-processors are announced via email to every workspace admin at least thirty days before activation.
| Name | Purpose | Region |
|---|---|---|
| AWS | Primary cloud infrastructure | eu-central-1, us-east-1 |
| Cloudflare | Edge CDN, WAF, DDoS protection | Global |
| Stripe | Payment processing | US, EU |
| Postmark | Transactional email delivery | US |
| Sentry | Error monitoring | EU |
| Linear | Support ticketing (agent-facing only) | US |
Incidents
Our status page at status.yourdomain.tld logs every incident with a five-why root-cause write-up within five business days of resolution. Post-mortems remain public indefinitely.
Pen tests
Halvert engages a third-party firm for annual penetration testing. Executive summaries are available under NDA. The most recent engagement found one low-severity finding, remediated within seventy-two hours.
Need the full report packet?
SOC 2 Type II, pen-test summary, questionnaire answers. Available under mutual NDA.
Email security@yourdomain.tld