SOC 2 · HIPAA · GDPR.
And the work behind them.
Compliance is a baseline, not a finish line. xAQUA carries independent attestations across security, privacy, and processing — and aligns to the regulatory frameworks that matter for our customers' regulators.
What we hold and where we are.
Live attestations are renewed annually. Frameworks "in progress" have audit cycles underway.
Independent attestation across security, availability, processing integrity, and confidentiality. Audited annually by an AICPA-registered firm. Latest report available under mutual NDA.
- Type II report (12-month observation window)
- Continuous control monitoring
- Annual third-party penetration testing
- Quarterly vulnerability scanning
xAQUA aligns to HIPAA Security and Privacy Rule controls. Business Associate Agreements (BAAs) available for healthcare payers, providers, and ecosystem partners deploying private or air-gapped configurations.
- BAA available for qualifying customers
- PHI redaction via SenseMask
- Audit log retention & disclosure tracking
- Encryption of PHI in flight and at rest
xAQUA is engineered for GDPR-compliant deployments. Standard Contractual Clauses available. EU-resident hosting options available for regulated workloads. Data subject rights workflows supported.
- Standard Contractual Clauses (2021 set)
- EU-region hosting available
- Data Processing Addendum (DPA) on file
- DSR workflow tooling
Our ISMS is mapped to ISO/IEC 27001:2022. The certification audit is underway with an accredited registrar. Target completion is the next quarterly cycle.
- ISMS scoped & documented
- Stage 1 readiness review complete
- Stage 2 audit scheduled
- Annex A controls fully mapped
FedRAMP Moderate authorization is in flight to support U.S. federal and state-government deployments. The xAQUA GovCloud configuration mirrors FedRAMP control families and is deployed today for state pension and HHS workloads.
- 3PAO assessment underway
- GovCloud configuration in production
- Continuous monitoring framework
- Sponsor engagement active
xAQUA security controls are mapped to NIST 800-53 Rev. 5 control families. Used by federal-adjacent and CJIS-affected customers as the compliance reference framework.
- Control mapping document available
- SSP template provided to customers
- Inheritable controls clearly delineated
- POA&M tooling supported
xAQUA processes personal information in compliance with the California Consumer Privacy Act and CPRA amendments. Consumer rights workflows and disclosure documentation are available.
- Consumer rights workflow
- "Do not sell" controls
- Disclosure documentation
xAQUA does not store cardholder data and is not in PCI scope by storage. Our masking layer (SenseMask) detects and redacts PAN data before any LLM processing.
- No PAN storage architecturally
- SenseMask PAN detection
- Tokenization integration available
Compliance is local.
For customers operating in multiple regulatory regions, xAQUA supports region-specific deployments and addenda.
Need our SOC 2 report or compliance package?
Reports are available under mutual NDA. Most customers receive the standard package — SOC 2 Type II, penetration test summary, security questionnaire — within two business days.
Have a specific compliance question?
Our trust team responds to security questionnaires, audit walkthroughs, and regulator-facing inquiries.