Security & Compliance
Customers trust OpenTrain with the datasets they upload for labeling and annotation. We treat that as the foundation of the product. This page summarizes our security posture; the full detail — including our CAIQ-Lite self-assessment — lives at app.opentrain.ai/trust.
Compliance program
| Program | Status |
|---|---|
| SOC 2 Type II | In progress — controls implemented and continuously monitored in our GRC program, with weekly evidence collection building the audit history. |
| HIPAA | HIPAA-ready — controls mapped to the HIPAA Security Rule safeguards; we sign Business Associate Agreements (BAA) for qualifying healthcare workloads. |
| GDPR / CCPA | Supported — Data Processing Addendum with Standard Contractual Clauses available; data-subject erasure with verifiable proof-of-deletion. |
We keep our claims precise: SOC 2 is an auditor’s attestation and ours is in progress; there is no such thing as a government “HIPAA certification.” What we offer today is a transparent, continuously monitored security program — and the documents to prove it.
How your data is protected
- Encryption everywhere — TLS 1.2+ in transit; AES-256 at rest for databases and object storage; envelope-encrypted secrets; encrypted backups.
- Strict access control — role-based access, SSO/MFA for production access, quarterly access reviews, and annotators only ever see tasks assigned to them.
- Controlled data handling — datasets rendered to annotators through short-lived signed URLs; restricted retention modes with a per-project, content-hashed data-handling attestation available via API.
- Verifiable deletion — erasure produces a cryptographic proof-of-deletion record.
- No foundation-model training — your datasets are never used to train third-party foundation models.
- Monitored operations — centralized logging, real-time alerting, documented incident response, and tested disaster recovery.
Subprocessors
Vercel (hosting), Supabase (database & storage), Render (backend services), Cloudflare (CDN, DNS & security), Stripe (payments), Anthropic & OpenAI (LLM inference for platform features only), Intercom (support), GitHub (source & CI), Google Workspace (email), Sentry (error monitoring). The maintained list with purposes and locations is published at app.opentrain.ai/trust.
Request compliance documents
Under a mutual NDA we share our Data Processing Addendum, Business Associate Agreement, Security Overview, full CAIQ self-assessment, and security policies. Email security@opentrain.ai — we’ll send the NDA first, then the requested documents. Vulnerability reports go to the same address.