Humadroid logo
Humadroid
Live
Sign in
For AI-native teams

SOC 2 & ISO 27001
for AI Startups

You ship AI products, not audit artifacts. Humadroid gives AI-native teams a SOC 2 and ISO 27001 workflow that actually matches how you build — sub-processors, model vendors, data flows, and all.

See pricing How it works
Is this you?
  • You're 3–15 people, mostly engineers, mostly shipping
  • OpenAI, Anthropic, Pinecone, HuggingFace live in your stack
  • Enterprise prospects are asking for a SOC 2 report or ISO certificate
  • Nobody on the team wants to own this full-time

Why compliance hits differently for you

1

Sub-processor sprawl

Your vendor list doubled the moment you added LLMs. Auditors want every one of them mapped, risk-assessed, and reviewed — including the model providers buyers are nervous about.

2

Data you can't fully see

Prompts, completions, embeddings, fine-tuning sets. What's logged, where it lives, and who can access it is harder to answer than a typical SaaS.

3

Buyers moving the goalposts

Enterprise security reviews now include AI-specific questions — training data, retention, human oversight. Generic compliance tools weren't written for this.

A worked example

How an OpenAI dependency becomes audit-ready evidence

You're using the OpenAI API for your core feature. An auditor wants to see that this dependency is governed properly. Here's how it actually flows through Humadroid — from the moment you add the vendor to the moment it shows up as evidence.

  1. 1
    Add OpenAI as a vendor. The platform pulls standard info (sub-processor list, region, DPA availability) and prompts you for what's specific: which endpoints you call, whether you log prompts, and whether you have zero-retention enabled.
  2. 2
    A risk entry is auto-generated covering model data exposure, prompt injection, and third-party breach. You accept or adjust inherent and residual ratings — no blank spreadsheet.
  3. 3
    The Statement of Applicability and SOC 2 control mapping update to reflect that a model provider sits in your data path. Relevant controls (A.5.19 supplier relationships, CC9.2 vendor management) get tagged automatically.
  4. 4
    Your DPA with OpenAI is attached as evidence. If you have zero-retention, the confirmation email becomes evidence too. The AI compliance assistant writes the narrative paragraph that belongs in your System Description.
  5. 5
    Six months later, you switch to Anthropic for one product line. Update the vendor record; risk, SoA, and evidence requirements regenerate. The audit trail shows when and why.
The audit question isn't 'do you use OpenAI' — it's 'can you show how you govern that dependency over time'. This workflow makes the answer boring, which is the goal.

SOC 2 and ISO 27001, shaped to your reality

Same platform, two frameworks. Pick one, start with both, or switch later.

S2

SOC 2

The report US buyers ask for.

  • Control mapping that accounts for LLM and vector-DB sub-processors
  • Evidence collection for AI vendor contracts, DPAs, and data-handling attestations
  • System Description templates that describe AI inference paths honestly
  • Trust Service Criteria tuned to AI-heavy data flows
Explore SOC 2 →
27

ISO 27001

The certificate European and enterprise buyers want.

  • Annex A controls scoped to your AI and data infrastructure
  • Risk register templates pre-seeded with AI-specific threats
  • Statement of Applicability guidance for LLM sub-processors
  • Aligned with EU customer expectations around AI governance
Explore ISO 27001 →

What the first 60 days actually look like

Not a marketing timeline — the real sequence we see for teams like yours.

Week 1

Map the AI stack honestly

Inventory every model provider, vector DB, fine-tuning pipeline, and data processor. Most AI teams discover 4–6 vendors they'd forgotten. Humadroid ingests them into your vendor register in one session.

Weeks 2–3

Lock the data flows

Document what goes to OpenAI/Anthropic, what's retained, what's logged internally. This becomes the backbone of your System Description and your answers to the AI-specific parts of security questionnaires.

Weeks 3–4

Generate policies for your real stack

Acceptable use for AI tools, data handling for model inputs, incident response that covers hallucinations and prompt injection. Not boilerplate — generated from your inventory.

Weeks 4–6

Turn on automated evidence

Connect AWS/GCP/GitHub/Cloudflare. Evidence starts flowing on a schedule so you're not hunting screenshots in week 8.

Weeks 6–8

Audit-ready for SOC 2 Type I

Walkthrough-ready System Description, controls mapped, evidence live. From here, a Type I report is weeks away; ISO 27001 shares ~60% of the work and can be done in parallel.

How Humadroid handles it

AI compliance assistant that knows your stack

Ask it how a SOC 2 auditor will view your OpenAI fine-tuning pipeline. It answers using your own vendor register, data flows, and policies — not generic docs.

Learn more →

Vendor assessment for LLM providers

Pre-filled templates for model providers, vector DBs, and embedding services. Review OpenAI, Anthropic, Pinecone in minutes with the right questions already asked.

Learn more →

Evidence from the tools AI teams actually use

Automated pulls from AWS, GCP, GitHub, Cloudflare. For AI-specific evidence (DPAs, retention settings, model access logs), clear upload workflows with reminders.

Learn more →

Risk register seeded with AI threats

Prompt injection, training data leakage, model vendor compromise, hallucination impact — pre-populated so you're refining, not writing from zero.

Learn more →

Trust Center for AI-conscious buyers

A public page where enterprise buyers see your certifications, your AI governance posture, and your sub-processor list. Kills 60% of inbound security questions.

Learn more →

Policies tuned to an AI product

Acceptable-use, data handling, and incident response that reference models, prompts, and fine-tuning — not generic SaaS boilerplate you'd be embarrassed to ship.

Learn more →

What auditors actually ask teams like yours

Real questions we've seen in SOC 2 and ISO 27001 audits for your cohort — and what a good answer looks like.

Q

Which third parties process customer data — including AI model providers?

A

Auditor wants a complete, current sub-processor list with contracts and data-handling terms. LLM providers count. Gaps here are the single most common finding for AI startups.

Q

What's your retention and logging posture for prompts and completions?

A

Either you have zero-retention configured with the provider, or you have a documented retention schedule. 'We don't know' is the failure case. Whatever the answer, it must match what your privacy notice says.

Q

How do you prevent sensitive customer data from being sent to external models?

A

Auditor wants a specific control — input filtering, tenant isolation, customer opt-outs, or a policy-level restriction — and evidence it's enforced. Not a promise; a mechanism.

Q

What's your process when a model provider has an incident?

A

Your incident response plan needs to explicitly cover third-party AI outages and breaches. Including: how you'd find out, who decides whether to notify customers, and how fast.

Questions we hear a lot

Does SOC 2 cover how we use OpenAI or Anthropic? +

Yes — model providers are sub-processors, and SOC 2 expects them to be mapped, contracted, and risk-assessed like any other vendor. Humadroid treats them as first-class vendors in your register and helps you document the data that flows to them.

Is ISO 27001 better than SOC 2 for AI startups? +

Neither is strictly better. SOC 2 is usually faster to produce and is what US enterprise buyers ask for first. ISO 27001 is a formal certificate often required by European buyers and larger enterprises. Many AI startups pursue SOC 2 first, then add ISO 27001 within a year.

We use vector databases and fine-tune on customer data. Is that a problem? +

Not inherently — but it needs to be documented, risk-assessed, and covered by the right agreements. Humadroid has templates for exactly this: what data flows where, retention rules, access controls, and how customers can opt out.

How fast can an AI startup realistically get SOC 2? +

Most AI startups using Humadroid are SOC 2 Type I ready in 4–8 weeks. Type II requires an observation window (typically 3 months minimum) after Type I. ISO 27001 is a similar timeline for the initial audit.

Do we need a dedicated compliance hire? +

No. The whole point of the platform is that a technical founder or engineer can drive this part-time. You'll spend hours per week, not full days. If you ever need humans, we connect you with auditors directly.

What if our AI vendors change? +

Update the vendor in Humadroid and the platform propagates the change across your risk register, SoA, and evidence requirements. Audits don't punish change — they punish undocumented change.

Ready to stop postponing this?

Get SOC 2 or ISO 27001 on your terms — without a consultant, without a full-time compliance hire, without the dread.

See pricing See all features