Compliance Posture
Last updated: May 5, 2026
We list every standard and certification a security or compliance evaluator might ask about, and we tell you exactly where we stand on each. We hold no certification we have not earned. We do not claim “compliant with X” when what we mean is “we follow some of X’s practices.”
| Standard | Status | Notes |
|---|---|---|
| GDPR (EU) | DPA published | Data Processing Agreement at /dpa includes 72-hour breach notification, customer data isolation, no secondary use. |
| DFARS 252.204-7012 | Partial | DPA breach-notification clause meets the 72-hour requirement. Other DFARS controls (CDI handling, NIST 800-171 mapping) on the roadmap. |
| NIST SP 800-171 | Roadmap | Not yet mapped. Planning a formal gap assessment in 2026 if customer demand confirms. |
| SOC 2 Type 1 | Roadmap (Q4 2026) | Auditor selection pending. Not yet held. |
| SOC 2 Type 2 | Roadmap (post-Type-1) | Requires 6-12 months of audited operations after Type 1. |
| ISO 27001 | Not yet | Not on near-term roadmap; will reassess if customer demand justifies. |
| HIPAA | Out of scope | Battery cycling data is not PHI. We do not process protected health information. |
| ITAR / EAR | Out of scope | The engine is published software. We do not handle ITAR-controlled data; customer is responsible for not submitting ITAR-controlled cell data via the API. |
| CMMC | Not yet | Defense buyers should engage Enterprise tier for CMMC alignment discussion. |
| FedRAMP | Not yet | Hosting on Railway (not a FedRAMP-authorized substrate). On-prem deployment available at Enterprise tier for buyers requiring FedRAMP-equivalent isolation. |
| TLS 1.2+ in transit | Yes | All API traffic encrypted. Verified by curl/openssl on the production endpoint. |
| Customer data isolation | Yes | No pooling, no cross-customer training, no secondary use. Documented in /dpa §3. |
| In-memory processing | Yes | Simulation inputs not persisted after response. /dpa §4. |
| Customer data deletion | Yes | Within 90 days of contract termination. Immediate on request. /dpa §10. |
For defense buyers
We acknowledge that DoD primes need certifications we do not yet hold. If you are evaluating us for a defense application:
- Engage Enterprise tier for on-premises deployment (no Railway dependency, no Anthropic chat-widget data path).
- The DPA breach-notification clause meets DFARS 252.204-7012(c) 72-hour reporting.
- NIST 800-171 mapping is on the 2026 roadmap; we can provide a control-by-control gap statement on request.
- SOC 2 Type 1 is targeted for Q4 2026.
- Procurement contact: jason@scaleprognostics.com with subject “Defense Procurement.”
For OEM buyers
If you are an OEM evaluating us for procurement (cell maker, EV manufacturer, ESS integrator):
- Production API runs on Railway with US-region hosting.
- Custom domain `api.scaleprognostics.com` planned (currently `cozy-hope-production-cb41.up.railway.app`).
- SLA targets are published at /sla per tier.
- Enterprise tier supports on-prem deployment, dedicated engineer, and custom SLA negotiation.
What honesty costs us, and why we still publish this
A startup that publishes “we don’t hold SOC 2 yet” loses some procurement evaluators who use that as a screening filter. We could obscure the gap; we choose not to. Trust compounds. One overstated certification claim costs more than a hundred honest disclosures.
If a control we lack is a hard blocker for you, tell us. The roadmap moves with customer demand.
Scale Prognostics LLC · Atlanta, GA