SOC 2 Type II
In Progress
Auth1 is pursuing SOC 2 Type II certification via Drata, an industry-leading compliance automation platform. SOC 2 Type II evaluates the design and operating effectiveness of security controls over a sustained period.
Our SOC 2 program covers the following Trust Service Criteria:
- Security — Protection against unauthorized access
- Availability — System uptime and reliability commitments
- Confidentiality — Protection of confidential information
Contact compliance@auth1.ai to request our current compliance posture documentation.
HIPAA
Enterprise Plan
Auth1 supports HIPAA compliance for healthcare organizations and their business associates. A Business Associate Agreement (BAA) is available on the Enterprise plan.
HIPAA-eligible features include:
- Session Timeouts — Configurable inactivity timeouts per HIPAA access control requirements
- PII Encryption — AES-256-GCM encryption at rest for all personally identifiable information
- Audit Logs — Immutable, structured audit logs for all authentication events with optional ML-DSA-65 (Dilithium) post-quantum signatures
- Access Controls — Role-based access control with principle of least privilege
- Breach Notification — Incident response and notification procedures per HIPAA Breach Notification Rule
To execute a BAA, contact legal@auth1.ai.
GDPR
Auth1 supports the General Data Protection Regulation (GDPR) for organizations handling EU personal data:
- Data Processing Agreement (DPA) — Available upon request for all paid plans
- Right to Deletion — Full user data deletion via API or dashboard, with confirmation
- Data Portability — Export user data in standard formats
- EU Data Handling — Transparent data processing practices with documented legal bases
- Consent Records — Immutable consent audit trail for SMS and email communications
To request a DPA, contact compliance@auth1.ai.
CCPA
Auth1 supports the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know — Users can request disclosure of personal information collected
- Right to Delete — Users can request deletion of their personal information
- Right to Opt-Out — Auth1 does not sell personal information
- Non-Discrimination — Equal service regardless of privacy rights exercised
For details, see our Privacy Policy.
TCPA
Auth1 provides built-in compliance tools for the Telephone Consumer Protection Act (TCPA):
- SMS Consent Tracking — Every SMS OTP request records explicit consent with timestamp, IP address, and user agent
- Dilithium-Signed Audit Records — Consent records are optionally signed with ML-DSA-65 (Dilithium) post-quantum signatures, providing tamper-proof, cryptographically verifiable evidence of consent
- Opt-Out Handling — Automatic processing of STOP/UNSUBSCRIBE requests
- Consent Revocation — Users can revoke SMS consent at any time
Questions about compliance? Contact us at compliance@auth1.ai. We are happy to discuss your specific compliance requirements and how Auth1 can support them.
See also: Security | Terms of Service | Privacy Policy