To provide an update, Hedy is currently going through SOC2 Type 2 and HIPAA certification. As part of this implementation we are going to have a bunch of additional and updated documentation to bring further transparency.

Thanks, Julian Pscheid I wasn’t able to access this documentation before, what you shared is extremely helpful. It definitely addresses many of my points.

Here are a few comments and questions based on the documentation provided. As this is truly more of a journey, rather than a issue, I think it would be great to add these into the roadmap as well

Is content encrypted client-side before upload or only “at rest” on GCP?

What key-management model is used (KMS, HSM, ...)? would you consider adding/supporting a customer-managed keys model?

user set retention cap is great, but could not find this option. same thing for AI analysis. Are backups purged on the same timeline?

2 Third-Party & Cross-Border Processors

Consider publishing a full sub-processor list? specifically what is data retention period for raw or derivative data (and potential implications of that)

Consider offering EU region storage or a signed SCCs/DPA with SCC Module 2 and 3 language (GDPR)

consider TOTP/Passkey MFA; add anomaly-based login alerts

consider publishing a formal SOC 2 Type II / ISO 27001 attestation covering vendor risk and change management

add HIPAA/HITECH reqs mentioned into the roadmap. Consider CCPA/CPRA and GDPR

Thanks for the questions, f! We agree that these are really important details. Therefore we documented them in our help docs:

Please take a look and let me know if you think we missed something.