COMPLIANCE
Current status. No compliance theatre.
Where Safua lands today across the standards procurement and security review commonly ask for. In progress is labelled in progress; not applicable is labelled not applicable. No “compliance-ready” hedging.
SOC 2 TYPE II
In progress. Targeting Q3 2026.
We’re in the control-implementation phase of a SOC 2 Type II audit targeting Q3 2026. Controls covered include access management, change management, incident response, vendor risk, and data handling.
Enterprise buyers who need SOC 2 evidence before our certification completes can request current control documentation under NDA via partnerships@darkolab.com. Package includes: access-management policy, data-handling standard, incident-response runbook, subprocessor inventory, backup/recovery procedure.
GDPR
Compliant for EU data subjects.
EU data subjects have the full slate of rights: access, rectification, erasure, restriction, portability, objection. Our Privacy Policy documents how to exercise each; routing is privacy@darkolab.com with a 30-day response SLA.
- Lawful basis for processing documented per data category
- Data Processing Addendum available for enterprise customers
- EU-hosted subprocessors used where reasonably practical; transfers governed by Standard Contractual Clauses
PIPEDA
Compliant for Canadian data subjects.
As a Canadian-incorporated company (DarkoLab Inc., Vancouver, British Columbia), we are PIPEDA-governed by default. User consent, data minimisation, and breach-notification obligations are baked into our handling.
CCPA / CPRA
Compliant for California data subjects.
California residents can exercise access, deletion, correction, and opt-out-of-sale rights via privacy@darkolab.com. We don’t sell personal information; the opt-out right is honoured preemptively.
HIPAA
Not applicable at current product stage.
Safua does not process Protected Health Information (PHI) in its current form. The Sentient Health virtual company inside the platform is a simulated environment \u2014 missions shipped against it use synthetic data.
For enterprise deployments that involve real PHI workflows, HIPAA compliance is achievable with a Business Associate Agreement and a scoped deployment. Route: partnerships@darkolab.com.
ISO 27001
On roadmap. No current target date.
ISO 27001 certification is planned for post-SOC 2 completion. We don’t publish a target date because we haven’t selected an auditor yet, and committing to a timeline before that step would be inaccurate.
QUESTIONS
Unclear on scope? Ask.
Procurement or security reviewers can send specific control questions to security@darkolab.com. We respond within 3 business days.
For related reading, see our security practices, vulnerability disclosure policy, and accessibility statement.
Train your engineers on evidence, not slide decks.
Safua for teams — structured learning, reviewed output, auditable skill growth.