A current, accurate posture statement for procurement-grade evaluation. Where the answer is “not yet,” the page says “not yet.” Mapping is done; audits are on the roadmap.
Companion documents: /security · /security/disclosure · /legal/privacy · /legal/dpa · /legal/subprocessors
AuthorityRail engages a small, accountable set of subprocessors. The canonical list with links to each subprocessor’s security and privacy pages is at /legal/subprocessors. New subprocessors get at least thirty (30) days’ advance notice before processing Customer Personal Data. Customers may object on reasonable data-protection grounds within fifteen (15) days; mechanism is in Section 6 of the DPA.
| Subprocessor | Function | Region |
|---|---|---|
| Supabase | database hosting, authentication backend, RLS tenant isolation, CAR persistence | us-east-1 |
| Anthropic | LLM inference for policy evaluation, intent scoring, decision explanation | United States |
| Stripe | payment processing and billing | US / global delivery |
| Vapi | voice agent infrastructure backing the Voice Execution Gateway (VEX-1) | United States |
| Railway | application compute hosting (gate, voice gateway, ARES gateway, supporting services) | us-east-1 (on AWS) |
| Cloudflare | edge / CDN / DNS / DDoS / static-site hosting | global anycast |
Every entry below states the truth at the date of this page. We will not state “audit in progress” until an audit is actually in progress. We will not state “SOC 2 compliant” without a SOC 2 report.
Type II audit planned for post-launch (Q3 2026 target). No SOC 2 audit is currently in progress. There is no Type I report. There is no Type II report. We have implemented the controls we expect a Type II audit to assess (see /security) but have not yet been audited against them. When we engage an audit firm, this page will name the firm and the engagement scope.
The platform is not currently HIPAA-eligible. AuthorityRail does not represent itself as a HIPAA-compliant Covered Service today.
Business Associate Agreement: [FOUNDER_TO_FILL — confirm with counsel either “A BAA may be available for the Enterprise tier on a per-deployment basis after a sectoral compliance review. Contact hello@authorityrail.com to initiate.” OR “Not available at this time. We will publish a BAA template when the platform supports a HIPAA-eligible deployment shape.”]
The DPA at /legal/dpa incorporates the EU Standard Contractual Clauses (Module 2 + Module 3 with Clause 9 Option 2 general written subprocessor authorization), the UK Addendum (UK ICO IDTA v.A1.0), and the FADP modifications. Personal Data Breach notification within 72 hours of confirmation per DPA Section 8.
AuthorityRail acts as a service provider under CCPA / CPRA. We do not “sell” or “share” Personal Information through cookies and do not use cross-context behavioral advertising. Full service-provider commitments in DPA Section 12.
Article 14 human-oversight artifact: Human Decision Records under DRI-v1 (Tier 2 Published 2026-04-30). Mapping at standards/DRI-v1/SPEC.md §7. AuthorityRail does not certify EU AI Act compliance on customers’ behalf — the platform produces the cryptographically signed evidence that customers’ compliance counsel uses to demonstrate Article 14 conformance.
us-east-1, via Supabase + Railway.Controls a Customer can exercise itself today, without filing a support ticket.
The customer dashboard exposes the CAR Verification Console at /audit/cars, the Federation Manifests view at /audit/manifests, and the Regulatory Citations view at /audit/citations — read-only and scoped to your own org_id. Every CAR is independently verifiable via the public verification endpoint.
docs/CAR_VERIFICATION.md, https://authorityrail.com/v1/verify/:car_id
Postgres row-level security gates every tenant-scoped read against auth.org_id() from the Customer JWT. Cross-tenant test assertions live in the gate test suite. The dual-identity model (Customer SDK + RLS vs. operator dashboard + Okta + service-role) is documented at docs/AUTH_IDENTITY_MODEL.md.
supabase/migrations/20260505000100_rls_helper_fn.sql · services/gate/__tests__/rls-isolation.test.ts
Operators can issue a Global Halt or Scoped Containment that takes effect on the next decision; set per-agent and per-action authority bands; and tenant-configure policy rules with full audit (the Enterprise Decision Policy Engine, EDPE). Idempotent retry: same caller-supplied request_id within 24h replays the original CAR.
services/gate/src/routes/kill-switch.ts · docs/REPLAY_FRESHNESS.md
Customer-administered Personal Data is editable in the dashboard. Other rights (access, correction, deletion, portability, restriction) are handled per the Privacy Policy and the DPA. On termination, AuthorityRail provides Customer Data export in a machine-readable format on written request within 30 days.
/legal/privacy · /legal/dpa
hello@authorityrail.com.security@authorityrail.com — see /security/disclosure.hello@authorityrail.com with subject “Subprocessor change notifications.”External: federation manifests · public CAR verification