Compliance at Backbuild
Backbuild operates a unified compliance program designed to map a single set of technical and organizational controls onto the requirements of the regulatory and industry frameworks that matter to our customers. Rather than chasing individual certifications in isolation, we maintain a control library that satisfies overlapping requirements across SOC 2, ISO 27001, HIPAA, PCI DSS, and GDPR. This page summarizes our current status and explains how customers can obtain evidence.
What compliance means at Backbuild
Compliance at Backbuild is not a checkbox exercise. We believe that attestations and certifications are a signal of operational maturity, not its source. Our security and privacy engineering work is guided by the following principles:
- Controls first, paperwork second. We implement and operate a control before documenting it for an auditor.
- Single source of truth. Every control maps to code, configuration, or an enforced process — not a policy PDF alone.
- Honest reporting. We disclose the current state of each framework, including items that are in progress or not yet committed.
- Least privilege by default. Production access, customer data access, and administrative actions are tightly scoped and fully audited.
- Defense in depth. We assume any single control may fail and design layered mitigations accordingly.
Current attestations and status
| Framework | Status | Notes |
|---|---|---|
| SOC 2 Type II | In progress | Observation period underway. Type II report targeted for Q4 2026. |
| ISO 27001:2022 | In progress | ISMS scoped and control mapping complete. Certification audit targeted for Q1 2027. |
| HIPAA | Aligned | Administrative, physical, and technical safeguards implemented. BAA available to eligible customers. |
| PCI DSS v4.0 | Controls aligned | Backbuild does not store, process, or transmit cardholder data directly. Payments are tokenized via Stripe. |
| FedRAMP Moderate | Roadmap | Control library aligned with NIST 800-53 Moderate baseline. Authorization not committed at this time. |
| GDPR / UK GDPR | Compliant | Data Processing Agreement with Standard Contractual Clauses available. Data subject rights workflow in production. |
Framework detail pages
Requesting evidence
Current and prospective customers can request the following evidence packages under a mutual non-disclosure agreement:
- SOC 2 Type II report (once issued) and interim gap assessments
- ISO 27001 Statement of Applicability and internal audit results
- Penetration test executive summaries
- Architecture and data flow diagrams
- Information security, privacy, and incident response policies
- Vendor and sub-processor due diligence records
To request evidence or to complete a security questionnaire, email security@backbuild.ai. We aim to respond to initial requests within two business days.
Compliance contact
Security and compliance: security@backbuild.ai
Privacy and data protection: privacy@backbuild.ai