What we do not claim.
Candor is the differentiator. Most vendors lead with a wall of certification badges. We'd rather tell you exactly where we stand, so you can make a real decision instead of a reassured one.
We hold no formal attestations today.
Happy Technologies has no SOC 2, FedRAMP, HITRUST, ISO 27001, or HIPAA BAA in place at this time. When we say the platform is "designed for regulated environments," that is a statement of design intent, the way the architecture is built, not a certification we have earned. Formal attestations are on the roadmap and available on request as they land; we will say so plainly the day they do.
Until then, our security posture rests on something you can verify yourself: the architecture below, and an open-source governance engine you can read line by line. Verify, don't trust.
How the architecture protects you.
Six guarantees built into how the platform runs, grounded in the real HIVE Governance model, not a marketing promise.
Your data stays in your environment
Governance wraps the systems of record you already run. Nothing is exfiltrated to train third-party models. Your data, prompts, and operational context never leave your boundary to become someone else's training set.
Human-gated where it matters
Of the 34 ITIL 4 practices the platform governs, 9 are human-gated by design: a person approves before a consequential action proceeds. Every gate decision emits a receipt, so approval is recorded, not assumed.
A receipt on every governed action
Every action that runs through the 7-stage HIVE pipeline produces a full audit trail: who or what acted, under which authority, what was decided, and why. Accountability is a built-in artifact, not an afterthought you reconstruct from logs.
Open-source, inspectable engine
The governance engine is open source under Apache-2.0. You don't have to take our word for how decisions are made: read the code, audit the logic, and confirm the guarantees yourself. Verify, don't trust.
Trust tiers & earned autonomy
Autonomy is earned, never assumed. Each agent operates inside an explicit trust tier with a hard authority boundary: the AI literally cannot exceed what it has been granted. Trust expands by evidence, one tier at a time.
Runtime-agnostic governance
Governance wraps the systems of record and runtimes you already own (ServiceNow, your CMDB, your tooling) rather than forcing a rip-and-replace. Control sits over your existing stack, so adopting it doesn't widen your attack surface.
Attestations are a roadmap, not a claim.
Formal compliance work is a deliberate, sequenced effort, not a checkbox we'll quietly imply. As attestations land, we'll publish them here and make supporting documentation available on request. If you have a specific compliance requirement, tell us where you stand and we'll be straight with you about timing.
On the roadmap
SOC 2, ISO 27001 and related attestations are sequenced work. We'll mark each one the day it's real.
Available on request
Architecture docs and security posture detail are available on request today. Ask and we'll share.
Inspectable now
The open-source governance engine is verifiable today: no attestation required to read the code.
Trust you can check.
Walk the architecture with us, or see the platform's claims labelled and evidenced for yourself.
Want the evidence first? See the proof, clearly labelled →