Last updated June 2026

Compliance

Enterprise infrastructure demands enterprise-grade compliance. OmniTwin is built with security and privacy at its core, and we work with certified partners to help your organization meet its regulatory and audit requirements.

Certifications and Standards

OmniTwin does not hold SOC 2, ISO 27001, or other compliance certifications directly. Instead, we partner with accredited certification bodies and compliance consultancies who can provide these certifications for your organization when needed. Our platform is designed to support the technical controls and audit evidence these frameworks require.

Partner-Supported

SOC 2 Type II

Our partners can provide SOC 2 Type II certification covering security, availability, and confidentiality trust service criteria.

Partner-Supported

ISO 27001

We work with certified auditors who can help establish and certify your information security management system (ISMS).

Supported

GDPR

OmniTwin is designed to support GDPR requirements. Data Processing Agreements are available on request.

Supported

HIPAA

Our platform supports the technical safeguards required for HIPAA compliance. Business Associate Agreements are available through our partners.

SOC 2 Type II

OmniTwin's platform is architected to support the Security, Availability, and Confidentiality trust service criteria defined by the AICPA. While we do not hold a SOC 2 Type II certification ourselves, we work with accredited audit partners who can certify your environment.

  • Platform controls: OmniTwin implements the technical controls - encryption, access management, audit logging, and monitoring - that SOC 2 audits evaluate.
  • Audit readiness: Our platform generates the evidence and documentation that auditors need, including access logs, change records, and control effectiveness reports.
  • Partner network: We can connect you with AICPA-accredited audit firms experienced in certifying infrastructure platforms. Contact the team to learn more.
  • Continuous monitoring: OmniTwin provides automated control testing and evidence collection to support ongoing compliance between audit periods.

ISO 27001

OmniTwin's platform is designed to align with ISO/IEC 27001:2022 requirements. We do not hold this certification directly, but our architecture and operational practices support organizations pursuing ISO 27001 certification through our partner auditors.

  • Aligned controls: Our platform implements controls across information security policies, risk management, asset management, access control, cryptography, and operations security.
  • Cloud-specific alignment: We also align with ISO 27017 (cloud security) and ISO 27018 (protection of PII in public cloud) for additional cloud-specific controls.
  • Certification partners: We work with accredited certification bodies who can guide your organization through the full ISO 27001 certification process, including surveillance audits.

GDPR

OmniTwin is designed to support compliance with the EU General Data Protection Regulation (GDPR). We process personal data lawfully, transparently, and only for specified purposes.

  • Data Processing Agreement: A GDPR-compliant DPA is available for all customers and can be executed digitally. The DPA includes Standard Contractual Clauses (SCCs) for international data transfers.
  • Subprocessors: We maintain a current list of subprocessors with documented security assessments for each. Customers are notified of subprocessor changes with 30 days advance notice.
  • Data subject rights: We support all GDPR data subject rights, including access, rectification, erasure, portability, and restriction of processing. Requests are fulfilled within 30 days.
  • Data Protection Officer: Our DPO can be reached through our contact form for privacy-related inquiries.

HIPAA

For healthcare organizations and their business associates, OmniTwin can operate as a HIPAA-eligible service with appropriate administrative, physical, and technical safeguards.

  • BAA: Business Associate Agreements are available for customers who require HIPAA compliance. Contact our team to initiate.
  • Technical safeguards: Encryption, access controls, audit logging, and automatic session management meet or exceed HIPAA technical safeguard requirements.
  • Administrative safeguards: Employee training, security incident procedures, and contingency planning are documented and tested regularly.

Data Residency

OmniTwin supports data residency requirements for customers with regulatory or policy constraints on where data is stored and processed.

  • Regions: Primary data centers are located in the United States (US-East, US-West). European region (EU-West) is available for customers requiring EU data residency.
  • Data sovereignty: Customer data is stored and processed exclusively within the selected region. Cross-region replication occurs only within the same geographic boundary unless explicitly authorized.
  • Metadata: Operational metadata (logs, metrics) is retained in the same region as customer data by default.

Audit Logging

Every action in OmniTwin is logged with full attribution, providing a complete audit trail for compliance and forensic purposes.

  • All API calls, user actions, and agent operations are recorded with timestamps, actor identity, source IP, and resource identifiers.
  • Audit logs are immutable once written. They cannot be modified or deleted by any user, including administrators.
  • Logs are retained for a minimum of 12 months (configurable up to 7 years for regulated industries) and can be exported in standard formats (JSON, CSV) for external SIEM integration.
  • Real-time log streaming is available via webhook or syslog for customers who require integration with their existing security monitoring infrastructure.

Vendor Assessments

We understand that evaluating a new vendor requires thorough due diligence. We proactively support your security review process.

  • Pre-completed questionnaires: SIG Lite, CAIQ, and custom vendor assessment questionnaires are available upon request. Most standard questionnaires can be returned within 5 business days.
  • Documentation package: We provide a security documentation package that includes penetration test summaries, insurance certificates, and architecture overviews.
  • Security briefings: Our engineering team is available for live security architecture walkthroughs with your security and compliance teams.

Regulatory Roadmap

We are continuously expanding our compliance program to meet evolving regulatory requirements and customer needs.

  • FedRAMP: Authorization process planned for 2027 to support federal government customers.
  • PCI DSS: Level 1 service provider certification is on our roadmap for organizations managing payment card infrastructure.
  • NIS2: Alignment with the EU Network and Information Security Directive for critical infrastructure operators.
  • StateRAMP: Planned for state and local government customers requiring standardized cloud security verification.

For questions about our compliance program or to request documentation, contact the team.