Built for teams shipping AI into regulated production.
Composo is SOC 2 Type II certified, GDPR compliant, and deployed into healthcare, fintech, and enterprise environments where data handling is non-negotiable.
SOC 2 Type II
Attestation available on request.
Compliance
SOC 2 Type II
Independently audited against the AICPA Trust Services Criteria for security, availability, and confidentiality. Report available under NDA for enterprise buyers.
GDPR
Composo is a data processor for customer AI traces. Data processing agreements are available for all enterprise customers. EU customer data is processed in EU-region infrastructure on request.
HIPAA-ready
For healthcare customers, Composo deploys directly into the customer's own infrastructure, or runs in Composo's HIPAA-aligned environment. Business Associate Agreements available. Composo does not require PHI to operate - sensitive fields can be redacted at ingestion - but can handle PHI where seeing the raw data materially improves evaluation quality.
Deployment options
US and EU regions on Composo-managed infrastructure, or deployment directly into the customer's VPC or on-premise environment for customers with strict data-residency or regulatory requirements.
Data handling
Composo processes AI traces submitted by the customer. Traces remain the customer's data. Composo uses them to evaluate quality, surface failures, and calibrate the evaluation model to the customer's domain.
Customer data is never used to train foundation models. Composo does not share trace data with any third party other than the sub-processors listed below, each of which is under a data processing agreement.
Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is gated by role-based permissions and audited. Deletion requests are honoured within 30 days.
Sub-processors
Composo uses the following sub-processors to deliver its services. All sub-processors are bound by data processing agreements.
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Primary hosting and data storage | US / EU |
| Microsoft Azure | Evaluation model inference | US / EU |
| OpenAI | Foundation model access (Azure OpenAI path used by default) | US |
| Anthropic | Foundation model access (opt-in) | US |
Trust centre
For SOC 2 reports, DPAs, BAAs, the current sub-processor list, or to report a security vulnerability, please get in touch.