HEA is built for privacy-first AI experiences: private content stays protected, AI skills are governed, and operational controls are designed with European expectations in mind.
Current status: ISO/IEC 27001 certification is not claimed. Security and governance controls are documented as they are implemented and independently earned evidence will be added here when available.
HEA combines private knowledge, customer conversations, and AI-powered actions. Our trust model is built around clear data boundaries, governed AI behavior, operational visibility, and European-first product discipline.
HEA separates private editor content from public published experiences. Private setup data, resources, and operational records are treated as protected product state, not marketing content.
HEA skills are designed to be scoped, observable, and configurable. The product favors approved actions, bounded skill behavior, and operator review over unbounded autonomous workflows.
HEA uses access control, deployment gates, protected storage, monitoring, and rollback practices to reduce risk on critical paths such as auth, publish, transfer, and customer data handling.
HEA's AI governance is designed around EU AI Act themes: transparency, human oversight, logging, risk-based controls, cybersecurity, and documented behavior. Formal legal conclusions depend on the deployment context and customer use case.
HEA is designed as a governed AI representative, not a free-form chatbot. The product gives teams ways to shape what the AI knows, what it can say, which skills it can use, and how conversations can be reviewed and improved.
Skills are product-defined capabilities with scoped behavior, structured state, and guardrails. They are designed to support approved actions such as qualification, handoff, promotions, and support flows.
Operators can configure the HEA, review conversations, adjust content and skills, and improve the AI experience over time. Critical owner-controlled flows are designed to fail visibly rather than silently degrade.
The public experience should make it clear when a visitor is interacting with AI. Conversation UX, disclaimers, and channel-specific presentation should support informed user expectations.
HEA stores durable facts and committed skill state only where they serve a clear product purpose. Temporary workflow control should stay lightweight and should not become a hidden autonomous planner.
Important AI and operational events should leave useful traces for debugging, review, and incident response, including structured error metadata where available.
HEA is designed for customer-facing guidance, support, qualification, handoff, and relationship workflows. It is not positioned as an autonomous decision-maker for high-risk use cases such as hiring, credit, healthcare diagnosis, law enforcement, migration, education access, or legal adjudication.
Creator content, operational data, and databases are stored in Cloudflare Western Europe (WEUR) data centres. This includes all R2 object storage buckets and the D1 registry database. Public CDN assets are served from cdn.hea-world.com, also hosted in WEUR.
Application compute is provided by Vercel and Google Cloud Run on serverless architectures — neither stores persistent data. Session and cache data is stored in Upstash (EU region). No creator content is stored outside the European Union by design.
HEA-World uses several providers and models — including OpenAI, Anthropic, Mistral, and Google — to deliver each service. Models are selected based on performance, reliability, and cost, allowing HEA-World to provide the best and most cost-effective experience to its clients.
Prompts and responses are sent to providers for inference only. We do not intentionally opt customer data into provider model training. Provider safety logging, content moderation, and retention policies may vary and are documented per provider.
HEA-World relies on each provider's current API terms of service regarding training opt-out. We review provider terms periodically and will update this page if those commitments materially change.
HEA is building toward a more formal security and AI governance program. We will only display certifications, attestations, or badges when they are independently earned and reviewable.
| Area | Status |
|---|---|
| ISO/IEC 27001 certification | Planned — not certified |
| AI Act Article 50 (transparency) | Readiness in progress |
| Privacy controls | Active — under review |
| Incident response process | Active |
| Vendor/subprocessor review | Active |
| Vulnerability reporting | Active |
For security, privacy, or AI governance questions, contact us.
To report a vulnerability, include the affected URL or asset, reproduction steps, potential impact, and whether any data exposure occurred.
Contact usCreate your HEA in minutes. Privacy-first, governed by design.