OpenTrain AIFor AI Companies

Security & Compliance

Customers trust OpenTrain with the datasets they upload for labeling and annotation. We treat that as the foundation of the product. This page summarizes our security posture; the full detail — including our CAIQ-Lite self-assessment — lives at app.opentrain.ai/trust.

Compliance program

ProgramStatus
SOC 2 Type IIIn progress — controls implemented and continuously monitored in our GRC program, with weekly evidence collection building the audit history.
HIPAAHIPAA-ready — controls mapped to the HIPAA Security Rule safeguards; we sign Business Associate Agreements (BAA) for qualifying healthcare workloads.
GDPR / CCPASupported — Data Processing Addendum with Standard Contractual Clauses available; data-subject erasure with verifiable proof-of-deletion.

We keep our claims precise: SOC 2 is an auditor’s attestation and ours is in progress; there is no such thing as a government “HIPAA certification.” What we offer today is a transparent, continuously monitored security program — and the documents to prove it.

How your data is protected

  • Encryption everywhere — TLS 1.2+ in transit; AES-256 at rest for databases and object storage; envelope-encrypted secrets; encrypted backups.
  • Strict access control — role-based access, SSO/MFA for production access, quarterly access reviews, and annotators only ever see tasks assigned to them.
  • Controlled data handling — datasets rendered to annotators through short-lived signed URLs; restricted retention modes with a per-project, content-hashed data-handling attestation available via API.
  • Verifiable deletion — erasure produces a cryptographic proof-of-deletion record.
  • No foundation-model training — your datasets are never used to train third-party foundation models.
  • Monitored operations — centralized logging, real-time alerting, documented incident response, and tested disaster recovery.

Subprocessors

Vercel (hosting), Supabase (database & storage), Render (backend services), Cloudflare (CDN, DNS & security), Stripe (payments), Anthropic & OpenAI (LLM inference for platform features only), Intercom (support), GitHub (source & CI), Google Workspace (email), Sentry (error monitoring). The maintained list with purposes and locations is published at app.opentrain.ai/trust.

Request compliance documents

Under a mutual NDA we share our Data Processing Addendum, Business Associate Agreement, Security Overview, full CAIQ self-assessment, and security policies. Email security@opentrain.ai — we’ll send the NDA first, then the requested documents. Vulnerability reports go to the same address.