Custosa
See the demoRequest access
Trust

Trust center

Last updated: June 13, 2026

Custosa is built for regulated industries, so trust has to be demonstrable. This page covers the frameworks we help you enforce, our own attestation status (stated honestly), and how every decision becomes verifiable evidence.

01Compliance packs we enforce for you

Custosa ships a Base pack (clearance-lattice authorization plus the evidence bundle, always on) and three compliance packs (HIPAA, SOC 1, and SOC 2) that you can toggle on at runtime. The SOC 1 and SOC 2 packs are annotation layers that map Custosa's enforcement decisions to specific controls, so the verdicts your system already produces become auditable evidence against those frameworks. At v1, SOC 2 coverage spans the Security and Confidentiality criteria.

02Custosa's own attestations

We will not claim certifications we do not hold. Here is our current status, stated plainly:

ItemStatus
HIPAA Business Associate AgreementAvailable now
SOC 2 Type I (Security, Confidentiality)In progress
SOC 1 Type IIn progress
SOC 2 Type IIPlanned
ISO 27001Under evaluation
FedRAMPNot currently planned

Our compliance packs help you enforce and evidence HIPAA, SOC 1, and SOC 2 controls today. That is separate from Custosa's own organizational attestations, which are in progress. We keep the two distinct on purpose.

03HIPAA

Custosa acts as a Business Associate and offers a BAA. The HIPAA pack enforces the minimum-necessary principle at the field level and produces the audit controls expected under the Security Rule. Custosa does not store the protected health information it inspects.

04Evidence & audit

Every decision is sealed as verdict-only, HMAC-signed, hash-chained evidence that you can verify offline. Evidence exports in JSON for your SIEM; CEF and LEEF are on the roadmap. Integrations with compliance-automation platforms such as Vanta, Drata, and Secureframe are on the roadmap. See the security page for how the evidence chain is constructed, and the live evidence ledger on the home page.

05How your data is handled

Custosa's evidence and managed control plane are content-free, and in on-premises deployments your records never leave your infrastructure. For the third parties involved in delivering Custosa Cloud and our commitments around them, see sub-processors. For website and business-contact data, see our privacy policy.

06Contact

Security, compliance, and audit requests: hello@custosa.com.