Trust & security
Trust posture and evidence register.
Harpy is being built for independent dental and allied-health practices, where operational data can carry patient, workforce, and reputation sensitivity. This page records the current posture: agreements and vendor evidence in hand, controls operating today, standards required before sensitive workflows, and claims we are not making.
Last updated June 30, 2026
Control register
A current-state summary of what is evidenced, what is operating, what must be true before sensitive workflows, and what Harpy is not claiming.
Agreed or evidenced
Contracts, vendor evidence, or purchased capabilities that exist today. These support Harpy's program; they are not certifications of Harpy.
Neon database posture
Agreed / evidencedSigned BAA and paid tier selected for private-ingress and HIPAA/SOC 2-compatible vendor controls.
Vendor security evidence
Agreed / evidencedCore infrastructure providers maintain their own trust centers and audit evidence. Harpy treats that as supporting evidence, not a substitute for Harpy certification.
Operating today
Controls and product boundaries reflected in the current public marketing and application posture.
Starter collection boundary
OperatingFeedback links are structured and tokenized. They do not ask patients for name, email, phone, login, appointment time, or free-text narrative.
Patient account boundary
OperatingPractice users authenticate; patients responding to feedback links do not create accounts.
Server-side taxonomy boundary
OperatingTaxonomy vocabulary and registry structure stay server-side rather than becoming a public client or database disclosure surface.
Required before sensitive workflows
Implementation standards that must be true before sensitive or PHI-capable workflows are represented publicly.
OpenAI no-store, pre-ZDR
Required standardFor eligible OpenAI API calls, store=false is the required standard. Harpy does not claim contracted Zero Data Retention today.
PHI workflow gate
Required standardAny PHI-capable workflow must be tied to the right plan, agreement, vendor controls, and BAA coverage where required.
Targets and boxed claims
Items that should not be read as current certifications or live controls.
SOC 2 program
TargetHarpy is not SOC 2 certified today. Target: SOC 2 readiness and an independent Type II examination window in early 2028.
Retention architecture
Not claimedEvent TTL deletion, rollups, dissolve behavior, durable co-occurrence matrices, and aggregate substitution remain boxed until shipped and evidenced.
Certification language
Not claimedHarpy does not claim HIPAA certification, HITRUST certification, SOC 2 certification, or OpenAI ZDR today.
System status
Public uptime and incident history are published separately from product and legal claims.
Data minimization
The current Starter feedback path is intentionally narrow. Patients use tokenized links and structured selections rather than accounts, direct identifiers, or free-text narratives. Practice users sign in; patients responding to feedback links do not.
Harpy also keeps the taxonomy boundary server-side. Public product copy can describe themes and outcomes, but the internal taxonomy vocabulary and registry structure are not a client-side or database disclosure surface.
Infrastructure and vendor controls
Harpy uses managed infrastructure providers for hosting, authentication, database, uptime monitoring, analytics, and AI inference. Vendor trust evidence helps establish our operating baseline; it does not make Harpy itself certified.
Neon is the current managed Postgres provider. Harpy maintains a signed Neon BAA and has purchased a tier selected for private ingress and HIPAA/SOC 2-compatible vendor posture. We still treat PHI, HIPAA, and private-network claims as deployment-specific claims that must match the active workflow, configuration, and agreement.
AI processing
Harpy does not claim OpenAI Zero Data Retention today. For eligible OpenAI API calls, store=false is the implementation standard before launch. That is a no-store minimization guardrail, not a substitute for contracted ZDR access or healthcare-specific terms.
Sensitive workflows must stay outside AI processing unless a future plan, agreement, vendor posture, and product implementation all support that use.
Collection surfaces and subprocessors
Harpy separates the public marketing site from the product application because the collection surfaces are materially different. The tables below merge provider role and data category into one operational description, then state the relevant agreement or control posture.
Public marketing site
harpy.rocks
The public site is a low-sensitivity marketing and trust surface. It can collect website analytics and operational telemetry, but it is not the patient feedback or practice application surface.
| Provider | Use and data handled | Agreement / control status |
|---|---|---|
| Vercel | Static marketing hosting, edge delivery, deployment telemetry, website traffic, and request diagnostics. | Vendor security evidence available. Harpy does not treat Vercel's posture as Harpy certification. |
| Google Analytics | Website measurement: page views, referral paths, browser/device signals, approximate network-derived location, and conversion events. | Marketing-site analytics only. Google may collect data directly under its own privacy terms. |
| Vercel Web Analytics | Aggregate web-usage and performance signals for the public site. | Used for operational and marketing measurement, not patient feedback profiling. |
| Better Stack | Public status page, incident history, uptime monitoring, and operational telemetry. | Supports public reliability reporting. It is separate from legal certification claims. |
Product application
app.harpy.rocks
The application surface handles practice accounts, structured feedback workflows, connected business-profile data, and eligible AI processing. Claims here depend on the active workflow, plan, configuration, and agreement.
| Provider | Use and data handled | Agreement / control status |
|---|---|---|
| Vercel | Application hosting, edge delivery, deployment telemetry, application traffic, and request diagnostics. | Vendor security evidence supports the hosting baseline. Harpy remains responsible for application controls. |
| Clerk | Practice-user authentication, sessions, organization membership, and role data. | Workforce identity surface. Patient feedback links do not require patient accounts. |
| Neon | Managed Postgres for practice, account, structured product, and operational data. | Signed BAA and paid security tier selected for private-ingress and HIPAA/SOC 2-compatible vendor controls. PHI claims remain workflow- and agreement-specific. |
| OpenAI | AI inference for eligible classification, summarization, coaching, and drafting workflows. | store=false is the required no-store standard for eligible calls. Harpy does not claim contracted ZDR today. |
| Optional Google sign-in, Google Maps Platform/Places, and Google Business Profile-related workflows including public listing, place, rating, review, and owner-response metadata where connected. | Feature- and permission-scoped. Public business listing data, OAuth identity, and patient feedback content remain distinct categories. | |
| Microsoft | Optional Microsoft sign-in and account identity metadata where selected by a practice user. | Used only when a practice user chooses Microsoft sign-in or a future Microsoft integration. |
Compliance roadmap
Harpy is not SOC 2 certified, does not claim HIPAA certification, and does not claim HITRUST certification today. Our current work is to build the operating discipline, vendor evidence, access controls, audit trail, and policy surface needed for a credible compliance program.
The target is SOC 2 readiness and an independent Type II examination window in early 2028. If future workflows process PHI, those workflows must be supported by the right plan, contract, vendor controls, and Business Associate Agreement where required.
Retention and claims we are not making
Harpy does not currently publish a live event-level TTL, rollup, dissolve, durable co-occurrence, or aggregate-substitution claim. Those ideas belong in architecture and implementation work until they are shipped, verified, and ready for counsel review.
Security, legal, and privacy questions can be sent to legal@harpy.rocks.