Security & Trust

Security & Trust

HEA is built for privacy-first AI experiences: private content stays protected, AI skills are governed, and operational controls are designed with European expectations in mind.

Current status: ISO/IEC 27001 certification is not claimed. Security and governance controls are documented as they are implemented and independently earned evidence will be added here when available.

Trust principles

HEA combines private knowledge, customer conversations, and AI-powered actions. Our trust model is built around clear data boundaries, governed AI behavior, operational visibility, and European-first product discipline.

Private by design

HEA separates private editor content from public published experiences. Private setup data, resources, and operational records are treated as protected product state, not marketing content.

Governed AI, not free-form automation

HEA skills are designed to be scoped, observable, and configurable. The product favors approved actions, bounded skill behavior, and operator review over unbounded autonomous workflows.

Secure operational foundation

HEA uses access control, deployment gates, protected storage, monitoring, and rollback practices to reduce risk on critical paths such as auth, publish, transfer, and customer data handling.

EU-aware governance

HEA's AI governance is designed around EU AI Act themes: transparency, human oversight, logging, risk-based controls, cybersecurity, and documented behavior. Formal legal conclusions depend on the deployment context and customer use case.

AI you can govern

HEA is designed as a governed AI representative, not a free-form chatbot. The product gives teams ways to shape what the AI knows, what it can say, which skills it can use, and how conversations can be reviewed and improved.

Governed skills

Skills are product-defined capabilities with scoped behavior, structured state, and guardrails. They are designed to support approved actions such as qualification, handoff, promotions, and support flows.

Human oversight

Operators can configure the HEA, review conversations, adjust content and skills, and improve the AI experience over time. Critical owner-controlled flows are designed to fail visibly rather than silently degrade.

Transparency

The public experience should make it clear when a visitor is interacting with AI. Conversation UX, disclaimers, and channel-specific presentation should support informed user expectations.

Bounded memory and state

HEA stores durable facts and committed skill state only where they serve a clear product purpose. Temporary workflow control should stay lightweight and should not become a hidden autonomous planner.

Auditability and diagnostics

Important AI and operational events should leave useful traces for debugging, review, and incident response, including structured error metadata where available.

Intended-use boundaries

HEA is designed for customer-facing guidance, support, qualification, handoff, and relationship workflows. It is not positioned as an autonomous decision-maker for high-risk use cases such as hiring, credit, healthcare diagnosis, law enforcement, migration, education access, or legal adjudication.

Data & infrastructure

Data residency

Creator content, operational data, and databases are stored in Cloudflare Western Europe (WEUR) data centres. This includes all R2 object storage buckets and the D1 registry database. Public CDN assets are served from cdn.hea-world.com, also hosted in WEUR.

Application compute is provided by Vercel and Google Cloud Run on serverless architectures — neither stores persistent data. Session and cache data is stored in Upstash (EU region). No creator content is stored outside the European Union by design.

AI model provider transparency

HEA-World uses several providers and models — including OpenAI, Anthropic, Mistral, and Google — to deliver each service. Models are selected based on performance, reliability, and cost, allowing HEA-World to provide the best and most cost-effective experience to its clients.

Prompts and responses are sent to providers for inference only. We do not intentionally opt customer data into provider model training. Provider safety logging, content moderation, and retention policies may vary and are documented per provider.

HEA-World relies on each provider's current API terms of service regarding training opt-out. We review provider terms periodically and will update this page if those commitments materially change.

Shared responsibility

Security and compliance are a shared effort, the same way cloud platforms frame it. HEA-World secures the platform; you govern your deployment. Our job is to make both sides auditable and to be clear about where each responsibility sits.

HEA-World handles The platform
  • Infrastructure, compute, storage, and networking
  • Encryption in transit and at rest
  • EU data residency (Cloudflare R2/D1, Upstash, Cloud Run)
  • Model-provider contracts and no-training posture
  • Governed-skill guardrails and bounded state
  • Backups, recovery, and rollback
  • Vendor and sub-processor management
  • The non-removable AI disclosure baseline
Shared Obligations on both sides
  • Data & content We secure stored data; you decide what enters it, its accuracy, and its lawful basis.
  • Authentication We run platform authentication and sessions; you manage who in your organization has access.
  • AI disclosure We provide the non-removable baseline; you localize and may strengthen it.
  • Consent & data-subject requests We provide the mechanism and tooling; you configure consent and respond to your visitors’ requests.
  • Incident response We detect and remediate platform incidents and notify you; you handle your configuration and content, and report issues to us.
  • Integrations We secure our side of each connector; you secure the third-party services you connect.
You handle Your HEA deployment
  • Content accuracy and appropriateness
  • Intended-use classification for your context
  • Skill selection and scope choices
  • Data retention preferences
  • Visitor consent setup
  • Lawful basis for the data you provide
  • Reviewing HEA outputs before relying on them
  • Regulated-sector compliance obligations

This operational split mirrors the legal roles defined in our Terms and Data Processing Agreement, where you act as the data controller and HEA-World acts as the data processor for the personal data your HEA handles.

Compliance roadmap

HEA is building toward a more formal security and AI governance program. We will only display certifications, attestations, or badges when they are independently earned and reviewable.

Area Status
ISO/IEC 27001 certification Planned — not certified
AI Act Article 50 (transparency) Readiness in progress
Privacy controls Active — under review
Incident response process Active
Vendor/subprocessor review Active
Vulnerability reporting Active

Contact security

For security, privacy, or AI governance questions, contact us.

To report a vulnerability, include the affected URL or asset, reproduction steps, potential impact, and whether any data exposure occurred.

Contact us

Ready to build a governed AI experience?

Create your HEA in minutes. Privacy-first, governed by design.