Solutions · By role

The audited AI platform
for IT and security teams.

You're the one who has to approve the vendor, answer the security questionnaire, and own the incident if something goes wrong. HASP is built to make that approval defensible — isolated data planes, SSO, documented subprocessors, a tamper-evident audit chain, and an incident response process you can point your CISO at.

Talk to Sales Read the API docs →
Compliance · frameworks we ship under
Active HIPAA BAA included
AOC under NDA SOC 2 Type II · inherited
AOC under NDA HITRUST r2 · inherited
EU + UK GDPR Art. 17 · 20 · 30
Active + CPPA-ready PIPEDA / CPPA Canada
Q3 2026 ISO 27001 In progress
Dedicated data plane Per-org data plane — no shared databases at any tier
SAML SSO + SCIM SSO and provisioning tied to your IdP lifecycle
30-day subprocessor notice DPA commits to advance notification — no retroactive disclosure

What you get

Everything the compliance team needs. Nothing that slows you down.

Dedicated data plane per Enterprise org

Enterprise-tier organizations run on a dedicated data plane with their own vector index and object-storage bucket. No shared databases, no logical multi-tenancy at the data layer. Your data does not co-reside with any other customer's data.

SSO and SCIM provisioning

Enterprise SSO (SAML) — connect your IdP and enforce SSO across the entire platform. Provisioning and deprovisioning via SCIM so access follows your HR lifecycle, not your help desk queue.

Tamper-evident audit chain for every action

Every action across every surface is hash-chained and Ed25519-signed with a key bound to your tenant. RFC 3161 TSA timestamp anchoring means timestamps are attested by an independent third party, not just our server clock. Chain verification runs on your own machine.

Documented subprocessors and 30-day change notice

Every third-party service that processes your data is listed in the DPA subprocessor table. HASP commits to 30 days advance notice before any subprocessor change takes effect — not retroactive disclosure after the fact.

Encryption, pen testing, and incident response

Encryption at rest and in transit across all data planes. Annual third-party penetration testing. Confirmed chain-integrity incidents trigger customer notification without undue delay, aligned with regulatory timelines under the DPA. Full security posture documented at the Trust Center.

Built-in compliance

Every action logged. Every log verifiable. By anyone.

  • Isolated data plane per Enterprise org — no shared databases, no logical multi-tenancy at the data layer.
  • Audit chain independently verifiable on your own machine — no HASP software required, no need to trust our export UI.
  • DPA available before you sign anything — download the template at /trust and review subprocessors, data residency, and retention before committing.
View the full trust center →

The HASP platform, on this surface

Product surfaces that matter most for it & security.

Product

Audit & Trust

A tamper-evident record of every action across every surface — signed, chained, and independently verifiable. The thing procurement teams stop scrolling for.

View Audit & Trust →

Product

Agent SDK

Connect external agents, automation pipelines, and A2A-protocol clients to HASP's policy gate. Every tool invocation is authorized, identity-scoped, and recorded to the signed audit chain — whether the caller is a human, a Studio app, or a fully autonomous agent.

View Agent SDK →

See it end-to-end

Workflows that map to it & security.

Scenario

Compliance export

Signed audit export your examiner can verify on their own machine.

Walk through compliance export →

Try it before you commit to anything.

Start a Free Evaluation and use every feature — AI chat, document analysis, the API, internal app builder — on non-patient data. When your organization is ready to work with real patient records, sign the BAA in-app. No procurement back-and-forth, no waiting.

Talk to Sales See the platform overview →