Harpy.
Experience IntelligenceTrust

Trust & security

Trust posture and evidence register.

Harpy is being built for independent dental and allied-health practices, where operational data can carry patient, workforce, and reputation sensitivity. This page records the current posture: agreements and vendor evidence in hand, controls operating today, standards required before sensitive workflows, and claims we are not making.

Last updated June 30, 2026

Control register

A current-state summary of what is evidenced, what is operating, what must be true before sensitive workflows, and what Harpy is not claiming.

Agreed or evidenced

Contracts, vendor evidence, or purchased capabilities that exist today. These support Harpy's program; they are not certifications of Harpy.

Neon database posture

Agreed / evidenced

Signed BAA and paid tier selected for private-ingress and HIPAA/SOC 2-compatible vendor controls.

Vendor security evidence

Agreed / evidenced

Core infrastructure providers maintain their own trust centers and audit evidence. Harpy treats that as supporting evidence, not a substitute for Harpy certification.

Operating today

Controls and product boundaries reflected in the current public marketing and application posture.

Starter collection boundary

Operating

Feedback links are structured and tokenized. They do not ask patients for name, email, phone, login, appointment time, or free-text narrative.

Patient account boundary

Operating

Practice users authenticate; patients responding to feedback links do not create accounts.

Server-side taxonomy boundary

Operating

Taxonomy vocabulary and registry structure stay server-side rather than becoming a public client or database disclosure surface.

Required before sensitive workflows

Implementation standards that must be true before sensitive or PHI-capable workflows are represented publicly.

OpenAI no-store, pre-ZDR

Required standard

For eligible OpenAI API calls, store=false is the required standard. Harpy does not claim contracted Zero Data Retention today.

PHI workflow gate

Required standard

Any PHI-capable workflow must be tied to the right plan, agreement, vendor controls, and BAA coverage where required.

Targets and boxed claims

Items that should not be read as current certifications or live controls.

SOC 2 program

Target

Harpy is not SOC 2 certified today. Target: SOC 2 readiness and an independent Type II examination window in early 2028.

Retention architecture

Not claimed

Event TTL deletion, rollups, dissolve behavior, durable co-occurrence matrices, and aggregate substitution remain boxed until shipped and evidenced.

Certification language

Not claimed

Harpy does not claim HIPAA certification, HITRUST certification, SOC 2 certification, or OpenAI ZDR today.

System status

Public uptime and incident history are published separately from product and legal claims.

View status.harpy.rocks

Data minimization

The current Starter feedback path is intentionally narrow. Patients use tokenized links and structured selections rather than accounts, direct identifiers, or free-text narratives. Practice users sign in; patients responding to feedback links do not.

Harpy also keeps the taxonomy boundary server-side. Public product copy can describe themes and outcomes, but the internal taxonomy vocabulary and registry structure are not a client-side or database disclosure surface.

Infrastructure and vendor controls

Harpy uses managed infrastructure providers for hosting, authentication, database, uptime monitoring, analytics, and AI inference. Vendor trust evidence helps establish our operating baseline; it does not make Harpy itself certified.

Neon is the current managed Postgres provider. Harpy maintains a signed Neon BAA and has purchased a tier selected for private ingress and HIPAA/SOC 2-compatible vendor posture. We still treat PHI, HIPAA, and private-network claims as deployment-specific claims that must match the active workflow, configuration, and agreement.

AI processing

Harpy does not claim OpenAI Zero Data Retention today. For eligible OpenAI API calls, store=false is the implementation standard before launch. That is a no-store minimization guardrail, not a substitute for contracted ZDR access or healthcare-specific terms.

Sensitive workflows must stay outside AI processing unless a future plan, agreement, vendor posture, and product implementation all support that use.

Collection surfaces and subprocessors

Harpy separates the public marketing site from the product application because the collection surfaces are materially different. The tables below merge provider role and data category into one operational description, then state the relevant agreement or control posture.

Public marketing site

harpy.rocks

The public site is a low-sensitivity marketing and trust surface. It can collect website analytics and operational telemetry, but it is not the patient feedback or practice application surface.

ProviderUse and data handledAgreement / control status
VercelStatic marketing hosting, edge delivery, deployment telemetry, website traffic, and request diagnostics.Vendor security evidence available. Harpy does not treat Vercel's posture as Harpy certification.
Google AnalyticsWebsite measurement: page views, referral paths, browser/device signals, approximate network-derived location, and conversion events.Marketing-site analytics only. Google may collect data directly under its own privacy terms.
Vercel Web AnalyticsAggregate web-usage and performance signals for the public site.Used for operational and marketing measurement, not patient feedback profiling.
Better StackPublic status page, incident history, uptime monitoring, and operational telemetry.Supports public reliability reporting. It is separate from legal certification claims.

Product application

app.harpy.rocks

The application surface handles practice accounts, structured feedback workflows, connected business-profile data, and eligible AI processing. Claims here depend on the active workflow, plan, configuration, and agreement.

ProviderUse and data handledAgreement / control status
VercelApplication hosting, edge delivery, deployment telemetry, application traffic, and request diagnostics.Vendor security evidence supports the hosting baseline. Harpy remains responsible for application controls.
ClerkPractice-user authentication, sessions, organization membership, and role data.Workforce identity surface. Patient feedback links do not require patient accounts.
NeonManaged Postgres for practice, account, structured product, and operational data.Signed BAA and paid security tier selected for private-ingress and HIPAA/SOC 2-compatible vendor controls. PHI claims remain workflow- and agreement-specific.
OpenAIAI inference for eligible classification, summarization, coaching, and drafting workflows.store=false is the required no-store standard for eligible calls. Harpy does not claim contracted ZDR today.
GoogleOptional Google sign-in, Google Maps Platform/Places, and Google Business Profile-related workflows including public listing, place, rating, review, and owner-response metadata where connected.Feature- and permission-scoped. Public business listing data, OAuth identity, and patient feedback content remain distinct categories.
MicrosoftOptional Microsoft sign-in and account identity metadata where selected by a practice user.Used only when a practice user chooses Microsoft sign-in or a future Microsoft integration.

Compliance roadmap

Harpy is not SOC 2 certified, does not claim HIPAA certification, and does not claim HITRUST certification today. Our current work is to build the operating discipline, vendor evidence, access controls, audit trail, and policy surface needed for a credible compliance program.

The target is SOC 2 readiness and an independent Type II examination window in early 2028. If future workflows process PHI, those workflows must be supported by the right plan, contract, vendor controls, and Business Associate Agreement where required.

Retention and claims we are not making

Harpy does not currently publish a live event-level TTL, rollup, dissolve, durable co-occurrence, or aggregate-substitution claim. Those ideas belong in architecture and implementation work until they are shipped, verified, and ready for counsel review.

Security, legal, and privacy questions can be sent to legal@harpy.rocks.