Legal & Trust Center

Enterprise-ready legal, privacy, and trust documentation.

One location for legal, compliance, procurement, and security reviewers evaluating HavenOPS as an Operational Intelligence Platform. Executable templates and evidence packages are available under NDA.

Core legal documents

Terms, Privacy, DPA & BAA.

Current versioned documents governing customer use of HavenOPS. Full executable templates are provided on request.

Terms of Service

Customer subscription terms, acceptable use, AI-assisted feature terms, and service commitments.

v1.0Effective 2026-06-01
Read Terms of Service

Privacy Policy

How HavenOPS collects, uses, and protects personal data, including HIPAA and AI processing disclosures.

v1.0Effective 2026-06-01
Read Privacy Policy

Data Processing Agreement

Processor obligations, sub-processors, and cross-border transfer commitments.

v1.0Effective 2026-06-01
Read Data Processing Agreement

Business Associate Agreement

HIPAA-aligned business associate commitments for covered entities and their associates.

v1.0Effective 2026-06-01
Read Business Associate Agreement
Trust resources

Security, AI, and compliance transparency.

The commitments and disclosures behind HavenOPS. Each section below anchors on this page and links out to detailed pages where available.

Security overview

Tenant isolation, encryption, access controls, monitoring, and incident response.

Learn more

AI transparency

Where AI is used across HavenOPS, what data it processes, and where human review is required.

Read below

Compliance readiness

How HavenOPS supports HIPAA, state licensure, accreditation, and payer requirements.

Read below

Responsible AI statement

The principles guiding how HavenOPS designs, deploys, and governs AI-assisted features.

Read below

Shared responsibility

What HavenOPS secures, what customers configure, and how those responsibilities meet in the middle.

Read below

Contact legal

Redlines, procurement coordination, DPA/BAA templates, and privacy inquiries.

Learn more
AI transparency

Where AI is used, and where it isn't.

HavenOPS uses AI-assisted features to accelerate work that would otherwise be manual: drafting policy language, generating training modules from source materials, summarizing operational data, recommending workflow steps, and surfacing compliance-readiness signals. AI is a drafting and analysis assistant, not a decision-maker.

  • Human review is required before any AI output is relied upon for clinical care, compliance filings, billing, workforce decisions, or contractual commitments.
  • Customer PHI is never used to train foundation models operated by HavenOPS or its sub-processors.
  • Tenant isolation applies to AI as it does elsewhere. AI features run within a customer's tenant boundary, using only that customer's data unless the customer explicitly opts into a shared knowledge source.
  • Model providers are sub-processors. Data transferred to model providers is governed by written data-protection terms and, where applicable, the BAA.
  • AI outputs are auditable. Approvals, edits, and acknowledgments are captured in append-only audit trails.
Responsible AI statement

Human-approved AI, by design.

HavenOPS designs AI-assisted features to keep humans in the loop for every consequential decision. Our responsible AI principles:

  • Assistive, not autonomous. HavenOPS does not present AI output as final. Operational actions require an accountable human approver.
  • Grounded and cited. AI outputs are generated against governed customer sources where practical, and cite the sources they draw from.
  • Governed knowledge. Customers approve which sources are used, and can revoke sources at any time.
  • No model training on customer data. Customer PHI and Customer Confidential Data are excluded from foundation-model training.
  • Auditable. Prompts, model outputs, edits, and approvals are captured in the operational record.
  • Bias and safety review. AI features are reviewed for known failure modes before release, and are gated by human approval workflows in production.
Compliance readiness

Built to support regulated operators.

HavenOPS is designed to help behavioral healthcare and other regulated operators demonstrate compliance readiness. Certifications are pursued in stages as the customer base expands.

  • HIPAA. Business Associate Agreements are available; safeguards align to the HIPAA Security Rule.
  • State licensure & accreditation. Workflows, policies, and training packs are structured to support Joint Commission, CARF, and state department expectations.
  • SOC 2. SOC 2 Type II readiness is in-flight; a bridge letter and status update are available on request during the audit window.
  • Data protection. GDPR/UK GDPR Standard Contractual Clauses and processor commitments are documented in the DPA.
  • Evidence packages. Trust Packet, security questionnaire (CAIQ-Lite), and evidence exports are available under NDA.

HavenOPS does not guarantee any specific regulatory outcome. Compliance is a shared responsibility between the platform and the customer.

Shared responsibility

What HavenOPS secures. What customers configure.

HavenOPS is responsible for

  • Platform security architecture, tenant isolation, and RLS enforcement.
  • Infrastructure hosting, patching, network security, and monitoring.
  • Encryption in transit and at rest, key management, and secret hygiene.
  • Backups, disaster recovery, and business continuity of the platform.
  • Sub-processor management, vetting, and contractual data protection.
  • Incident response for events affecting the platform.
  • Governance of AI-assisted features, model access, and audit logging.

Customer is responsible for

  • Configuring roles, entitlements, and user provisioning within its tenant.
  • Managing authorized-user accounts, credential hygiene, and MFA enforcement.
  • Approving AI outputs and workflow content before operational use.
  • Determining which sources contribute to governed knowledge.
  • Meeting customer-specific regulatory obligations (HIPAA, state, payer).
  • Notifying HavenOPS of suspected compromises or misuse.
  • Exporting or requesting deletion of Customer Data within retention windows.
Coming soon

Additional trust documentation in flight.

The resources below are in preparation. Contact legal@havenops.io to receive interim content under NDA.

Subprocessors

Public list of sub-processors, purposes, and regions. Available on request today.

Coming soon
Security Whitepaper

Extended technical detail on architecture, controls, and audit posture.

Coming soon
Trust Center

Real-time control attestations, questionnaire responses, and evidence downloads.

Coming soon
SOC reports

SOC 2 Type II report and bridge letters, distributed under NDA.

Coming soon
HIPAA information

Public summary of HIPAA safeguards, BAA scope, and audit posture.

Coming soon
Accessibility statement

Our conformance goals against WCAG 2.1 AA and how to report accessibility issues.

Coming soon
Cookie policy

Detailed categories, providers, retention, and in-region consent controls.

Coming soon
Procurement support

Request executable templates.

Full DPA and BAA templates, sub-processor list, security questionnaire (CAIQ-Lite), Trust Packet, and insurance certificates are available for legal and procurement review under NDA.

Need something else for your legal review?

Our legal team can provide redlines, custom MSAs, and security questionnaires within standard procurement timelines.

Powered by HavenOps