Enterprise
Compliance documentation and how to verify it
SOC 2 Type II reports under NDA, a GDPR DPA, and a clear contractual pathway for PDPA and CCPA — with verification steps instead of badges.
Ciao's compliance posture rests on verifiable documents: SOC 2 Type II reports available under NDA, a GDPR Data Processing Agreement, and contractual data-handling commitments — zero-retention model contracts and no training on customer code — that support PDPA and CCPA obligations. Unlike vendors that publish badge walls, Ciao routes every compliance claim to a document your legal and security teams can actually read and verify.
Published 2026-07-03 · Last updated 2026-07-03
Compliance claims are easy to make and expensive to trust
Every vendor page in this category shows the same row of logos. The difference between a badge and a control is whether you can verify it: read the audit report, sign the DPA, trace a data flow, question the auditor's scope. When the platform in question generates and deploys production software, the cost of trusting an unverified claim is not abstract — it is your own audit finding a year later.
Ciao's position is simple: compliance documentation exists to be read. This page lists what is available today, what pathway covers each regulation your review is likely to name, and the exact step that verifies each item. Where something is handled contractually rather than by certification, the page says so plainly.
A useful test for any vendor in this category: ask where each compliance claim is written down, who audited it, and what happens if it turns out to be wrong. A claim backed by an audit report has an author and a method. A claim backed by a badge has a graphics department. Your review deserves the former, and this page is organized so you can demand it.
What is available today
Each item below is a document or control your team can obtain and check:
- SOC 2 Type II — SOC 2 Type II reports are available under NDA — an independent audit of controls operating over a period, not a self-assessment.
- GDPR Data Processing Agreement — A DPA covering processor obligations, data-handling commitments and subprocessor terms, available for legal review during procurement.
- Zero-retention model contracts — Inference runs under zero-retention model contracts, and customer code is not used to train models — the commitments privacy reviews ask about first.
- Append-only audit trail — Prompts, merges, deploys and admin actions are recorded append-only, giving internal audit a reconstructable history of every change.
- Access controls — SSO via SAML and OIDC, optional MFA and role-based access control — the access-management controls most frameworks require of a processor.
- Deployment choice — Deploy to Ciao cloud, your own AWS, Azure or GCP account, private VPC, or on-prem under separate terms — which lets residency-sensitive programs keep data where their obligations require.
The PDPA and CCPA pathway
PDPA and CCPA obligations are met through the same contractual spine as GDPR: the DPA's data-handling, retention and subprocessor commitments, plus the platform's zero-retention model contracts and the commitment that customer code is not used for training. Your counsel maps those commitments to the specific obligations your business carries — Ciao provides the artifacts and answers, not legal advice.
If your program spans jurisdictions, raise that during procurement. Deployment into your own cloud account or private VPC often simplifies the analysis, because the application and its data stay inside infrastructure you already govern.
How to run a compliance review of Ciao
1. Request the document set
Ask for the security pack via the contact page. It is the index to everything else in this list.
2. Sign the NDA, read the SOC 2 report
The Type II report shows which controls were audited, over what period, and what the auditor found. Read the scope section first.
3. Review the DPA
Legal reviews processor obligations, data-handling terms and subprocessor commitments. Redlines and questions go to the enterprise team.
4. Map controls to your framework
Match audit-trail, access-control and data-handling evidence to the requirements in your own compliance framework — the table below is a starting index.
5. Confirm the deployment posture
Decide whether Ciao cloud, your own cloud account, private VPC or on-prem fits your obligations, and record the decision with your assessment.
Framework by framework
| Framework | What Ciao provides | How to verify |
|---|---|---|
| SOC 2 Type II | Independent audit reports | Request under NDA via /contact |
| GDPR | Data Processing Agreement, zero-retention model contracts, no training on customer code | Legal review of the DPA during procurement |
| CCPA | Contractual data-handling commitments via the DPA and service terms | Map DPA terms to your CCPA obligations with counsel |
| PDPA | Same contractual pathway: DPA commitments plus data-handling terms | Map DPA terms to your PDPA obligations with counsel |
| HIPAA | Not claimed. Healthcare teams use Ciao for operational workflows | Discuss your specific workload with the enterprise team |
Verification notes
Nothing on this page requires trust in marketing. SOC 2 Type II reports are available under NDA; the security pack and the DPA are available on request via the contact page; and the platform controls the documents describe — audit trail, access control, governed merges — can be demonstrated live during your evaluation. If a claim you need is not on this page, ask for it in writing rather than assuming it.
Two practical suggestions from reviews that go smoothly. First, sign the NDA early — it is the gate in front of the most useful documents, and clearing it in week one lets security and legal work in parallel. Second, send your control-mapping spreadsheet along with the questionnaire rather than after it, so responses are written against the framework your committee actually scores with.
Frequently asked questions
Is Ciao ISO 27001 certified?
SOC 2 Type II is the independent audit Ciao provides today, with reports available under NDA. If your framework requires other certifications or a control mapping, raise it with the enterprise team during procurement rather than assuming equivalence.
Does Ciao support workloads that fall under HIPAA?
Ciao does not claim HIPAA compliance. Healthcare organizations use Ciao for operational workflows, and workloads involving regulated health data should be discussed explicitly with the enterprise team before any build starts.
Can we share the SOC 2 report with our internal auditors?
The report is provided under NDA, and the NDA's terms govern who may read it. Most reviews cover the security, legal and audit staff who need it — confirm the distribution scope when you request the report.
Will Ciao sign our DPA instead of its own?
Ciao provides a GDPR DPA for review, and legal questions or redlines are handled during procurement. Bring your paper to the enterprise team and they will tell you plainly what is negotiable for your agreement size.
Where can we see the current subprocessor list?
Subprocessor information is part of the DPA and security-pack review. Request the current list via the contact page — it is a document to read, not a claim to take from a webpage that may age.