Compliance, with honest dates.

Live

EU AI Act

High-risk classification under Annex III §4 (employment). What we are doing about it:

• Classified high-risk under Annex III §4 (employment / worker management)
• Calibration loop + per-criterion rubric versioning provides auditable evidence
• Right-to-explanation surfaced in score-report UI: every breakdown shows the criterion, weight, and rubric anchor
• Manager override with mandatory written reason — fully audit-logged
• Human-in-the-loop required before any certification revocation

Live

GDPR

DPA, sub-processors, and DSAR endpoints all ship today.

• Standard DPA available on request, signed via DocuSign
• Live sub-processor list at /sub-processors, 30-day notification on changes
• POST /me/export — full personal data export (JSON), email link valid 7 days
• POST /me/delete — soft-delete immediately, hard-delete cascade within 30 days
• Data residency: EU-region option for Pro and Enterprise (PG + R2 in Frankfurt)

On the roadmap

SOC 2 Type II

12-month observation window. Targeted timeline:

• Q3 2026 — readiness assessment, gap analysis (Vanta-tracked)
• Q4 2026 — control implementation: change management, access reviews, vendor management
• Q1 2027 — Type I report (point-in-time)
• Q3 2027 — Type II observation window opens (12 months)
• Q3 2028 — Type II report available to customers

Not applicable

HIPAA

Avelto does not process protected health information (PHI). The product is built for sales and customer-support roleplay; healthcare scenarios that involve PHI are out of scope. If you have a use case that needs HIPAA, please reach out so we can scope a BAA and isolated tenancy.