Compliance

Where Chief stands on certifications, standards, and audit readiness.

SOC 2

Chief is not yet SOC 2 audited. We’re building toward it actively, and we follow SOC 2 Common Criteria controls today even without the certification.

What this means for procurement:

• We can share our internal security policy under NDA — covers access control, change management, incident response, vendor management.
• We can complete most security questionnaires (CAIQ, SIG, custom) referencing our internal controls.
• We cannot yet hand you a signed SOC 2 report; that comes after audit completion.

GDPR

Chief is GDPR-compatible:

• Lawful basis: legitimate interest (our service to you) + your contract terms.
• Data Processing Agreement (DPA) available — request via security@hirechief.ai.
• Sub-processors disclosed (next section).
• Data subject rights honored: export and deletion. See Data Rights.
• Data residency: today, all data is stored in US East. EU data residency is on the roadmap for Enterprise.

CCPA

Chief honors CCPA rights for California residents:

• Right to know what personal data we hold (export available)
• Right to deletion (deletion flow available)
• Right to opt out — Chief doesn’t sell personal data, so opt-out is implicit

HIPAA

Chief is not HIPAA-compliant. Don’t put PHI (Protected Health Information) into Slack messages with Chief or files Chief processes. We can’t sign a BAA at this time.

If your team needs HIPAA-grade Chief, contact sales@hirechief.ai. We’re scoping a HIPAA-compatible offering on the Enterprise plan.

Sub-Processors

Chief uses these third parties to deliver the service:

Updated sub-processor list lives at hirechief.ai/security/sub-processors.

Penetration Testing

Annual external pen test by a third-party firm. Most recent test: 2026-Q1. Summary report available under NDA.

Vendor Risk Questionnaires

We respond to standard questionnaires (CAIQ, SIG-Lite, vendor-specific) typically within 5 business days. Email security@hirechief.ai to start.