Short version: we follow a documented security and privacy baseline, but we do not claim completed SOC 2 audit status, HIPAA regulated-data readiness, or formal GDPR certification. Regulated data work requires written scope, the right contracts, approved vendors, and a handling plan before access.
Plain scope
Each build gets defined systems, data types, access paths, approval gates, and retention rules before production access.
Human gates
Agents that touch money, customers, legal risk, health data, or account changes need explicit approval before action.
No fake badges
We only claim an audit, certification, or compliance status after the required external process exists.
Current status
| Framework | Public claim today | What that means |
|---|---|---|
| SOC 2 | Readiness in progress | We map internal controls to the AICPA Trust Services Criteria. We are not SOC 2 audited today, and we will not market Cronk Ai Agents as having completed SOC 2 until an independent CPA report exists. |
| HIPAA | Regulated healthcare data by written agreement only | The public intake form is not for PHI. Healthcare work that may involve PHI requires a signed BAA where applicable, vendor review, access controls, and a project-specific PHI handling plan before PHI is received. |
| GDPR | GDPR-aligned handling available by scope | For EU or UK personal data, we support data processing terms, subprocessor disclosure, access/deletion requests, minimization, retention rules, and transfer safeguards as part of the client agreement. |
Data we handle
Most projects begin with business context: company name, website, contact details, tool stack, workflow notes, goals, bottlenecks, and public-surface research if the client permits it. If a build moves forward, the signed scope defines any additional systems and data categories we can access.
Do not send PHI, payment card numbers, government IDs, account passwords, private keys, patient records, legal case files, or other regulated records through the public intake form or email unless we have signed the right agreement first.
AI data handling
We design agents around least-necessary data. That means prompts and tool calls should receive only the data required for the task. We do not use client data to train public models, and we do not intentionally route regulated data through model providers unless the vendor, product, contract, and use case have been approved for that data class.
- Low-risk tasks: drafting, summarizing, tagging, routing, and internal briefing work.
- Approval-gated tasks: customer replies, refunds, account changes, financial records, inventory decisions, health or legal workflows, and anything that could materially affect a person or business.
- Blocked by default: public intake collection of PHI, raw payment card data, passwords, private keys, or regulated records.
Security baseline
Our baseline is simple on purpose. Access is limited to people working on the engagement. Credentials belong in approved secret stores, not source code. Production systems use MFA where the vendor supports it. Client folders are separated. Sensitive projects get written data handling notes before work starts.
- Least-privilege access by project.
- MFA on core business and deployment accounts.
- Separate client folders and queue records.
- No secrets committed to the repository.
- Human review gates for high-impact agent actions.
- Incident review and client notification process for material events.
Vendors and subprocessors
Cronk Ai Agents uses a small vendor stack to host the site, receive intake, store queue records, send alerts, book calls, process payments, and build agents. Vendor use depends on the project scope. Regulated data projects require a vendor review before any regulated data moves.
For clients with formal procurement or privacy review, email [email protected] for the current subprocessor list and data-flow notes.
HIPAA position
HIPAA applies to covered entities and business associates. The public Cronk Ai Agents website and intake form are not configured to receive PHI. If a healthcare project requires PHI, we treat that as a separate regulated scope.
Before receiving PHI, the project needs the right written agreement, a BAA where applicable, vendor coverage review, minimum-necessary data rules, access controls, retention rules, and breach response steps.
SOC 2 position
SOC 2 is an independent audit report for service organizations. Until a CPA firm completes the audit, our public wording is limited to readiness and alignment. The right phrase today is: "We maintain a security program aligned with SOC 2 Trust Services Criteria and are preparing for a future audit."
The wrong move today is to market Cronk Ai Agents as having completed SOC 2. We will only use audit-status language after an appropriate independent report exists.
GDPR position
For EU and UK personal data, project scope needs to identify whether Cronk Ai Agents is acting as a controller, processor, or subprocessor. Client processing work should include documented instructions, approved subprocessors, retention rules, access/deletion support, and transfer safeguards where needed.
The public site gives visitors access, correction, deletion, and export request paths through [email protected].
Framework references
These are the public frameworks we use for wording and internal readiness work:
- HHS: Covered Entities and Business Associates
- HHS: Summary of the HIPAA Security Rule
- HHS: HIPAA Breach Notification Rule
- AICPA: SOC 2 Description Criteria
- European Commission: Data protection explained
- EDPB: Controller, processor, and subprocessor roles
- OPC Canada: PIPEDA fair information principles
Security or privacy questions
Email [email protected]. For a live engagement, include the client name, project name, and the data class you are asking about so we can answer against the right scope.