Security & Compliance

Compliance & Trust

We believe transparency about security and compliance is a feature, not a footnote. Here is exactly where MyAIConsent stands today — honestly.

Last updated: March 2026

Compliance Overview

Our current status across major security and compliance frameworks

65%

ISO 42001

AI management system standard

⟳ In Progress
80%

ISO 42005

AI impact assessment standard

✓ Implemented
95%

ISO 22989

AI concepts and terminology

✓ Compliant
95%

GDPR

EU data protection regulation

✓ Compliant
35%

SOC 2

SaaS security compliance audit

⟳ In Progress
30%

HIPAA

US healthcare data protection

◎ Roadmap

ISO 42001 — 65%

AI Management System Standard

⟳ In Progress

The AI equivalent of ISO 27001. Released in 2023 specifically for AI systems. Covers responsible AI, bias management, transparency, and human oversight.

What we have

  • Human oversight (users control their own content)
  • Transparency (users know what AI model is used)
  • Content consent layer (the name of the platform)
  • No training on user data
  • Audit logs
  • Impact Assessment per twin (ISO 42005 aligned)
  • Source verification — every AI response cites its documents

What is missing

  • Formal AI risk assessment
  • Bias monitoring
  • Documented AI governance policy
"Consent-first architecture is ISO 42001 alignment by design. The remaining gaps are documentation, not architecture."

ISO 42005 — 80%

AI Impact Assessment Standard

✓ Implemented

The ISO standard for AI impact assessment. Requires organisations deploying AI systems to systematically assess the potential impacts on individuals and society before deployment. MyAIConsent implements this for every AI Twin created on the platform.

What we have

  • Impact Assessment required before twin can go public
  • Five structured assessment fields covering audience, harms, sensitive topics, accuracy and oversight
  • Assessment answers automatically embedded into AI Twin System Guidelines
  • Documented oversight plan per twin
  • Honest gap disclosure built into the assessment flow

What is missing

  • Third-party review of assessment quality
  • Formal impact assessment register across all deployed twins
  • Automated bias detection layer
"Every AI Twin on MyAIConsent has a documented impact assessment. Not as a checkbox — as a genuine governance control that shapes how the twin behaves."

ISO 22989 — 95%

AI Concepts and Terminology

✓ Compliant

The international standard for AI concepts and terminology. Establishes a common vocabulary for AI systems — ensuring that when MyAIConsent talks about AI Twins, RAG pipelines, consent, and governance, we use internationally recognised definitions.

What we have

  • Consistent use of ISO 22989 terminology throughout the platform
  • AI Twin defined as a knowledge-based AI system trained on consented data
  • RAG (Retrieval Augmented Generation) used in its standard definition
  • Consent defined and applied in line with international data protection norms
  • Transparency about AI model identity (Claude Sonnet 4 by Anthropic)
  • Clear distinction between AI system provider and deployer roles
  • Formal terminology glossary published at /glossary
  • Internal style guide referencing ISO 22989 definitions

What is missing

  • Formal third-party terminology audit
"Shared language is the foundation of trustworthy AI. ISO 22989 ensures we are speaking the same language as regulators, auditors and enterprise customers."

GDPR — 95%

General Data Protection Regulation

✓ Compliant

The General Data Protection Regulation applies to any platform handling data of EU residents. Even based in Melbourne, if a European user signs up, GDPR applies.

What we have

  • Published privacy policy
  • Session-only cookies — no tracking, no advertising, no third-party pixels
  • HTTPS throughout — all data encrypted in transit
  • Two-factor authentication for all email/password users
  • Data deletion — users can delete twins, files, and their entire account
  • Data export — users can download all their personal data as a ZIP file
  • Audit logs — all admin actions recorded
  • Content never used for AI training — RAG only, your data stays yours
  • Rate limiting on all endpoints

What is missing

  • Data Processing Agreement template for enterprise customers
"At 95%, MyAIConsent is GDPR compliant for standard B2B use cases. The remaining 5% is a legal document, not a feature."

SOC 2 — 35%

Service Organization Control 2

⟳ In Progress

The gold standard for SaaS security compliance. Requires an independent audit of security controls across availability, confidentiality, and processing integrity.

What we have

  • Audit logs
  • Role-based access controls
  • Two-factor authentication
  • Rate limiting
  • HTTPS
  • Data isolation between users

What is missing

  • Formal written security policies
  • Penetration testing
  • Incident response plan
  • Vendor risk assessments
  • Independent audit and certification
"SOC 2 certification costs $20,000–$50,000 and takes 6–12 months. It is a milestone for when the platform reaches $50K+ MRR."

HIPAA — 30%

Health Insurance Portability and Accountability Act

◎ Roadmap

The US standard for healthcare data protection. The hardest compliance to achieve without enterprise vendor support and dedicated compliance budget.

What we have

  • HTTPS in transit
  • Audit logs
  • Role-based access controls
  • Data deletion capability
  • Data encryption at rest (field level)

What is missing

  • Data encryption at rest (database level)
  • Business Associate Agreements with Anthropic, OpenAI, Pinecone
  • Formal risk assessment
  • Incident response and breach notification plan
  • Dedicated Privacy Officer
"If you are a healthcare provider wanting to handle PHI — I respect you too much to pretend we are ready. Let us talk about a white-label partnership instead."

Questions about compliance?

If you are evaluating MyAIConsent for enterprise use, regulated industries, or have specific compliance requirements — reach out directly.

Contact Us