Compliance
Hyrax is built and operated by Iru. Hyrax is in scope as an additional product under Iru's SOC 2 Type II program: the audit report is issued by Iru, and Hyrax is the technical scope inside it. Evidence collection accrues from the start of the Type II observation period on 2026-06-08 (customer launch was 2026-06-01).
Scope at a glance: the SOC 2 system is the Hyrax production environment only; non-production environments are outside the boundary and do not process production customer data.
Auditor-facing artifacts (available under NDA — request via security@hyrax.dev):
- System boundary — explicit in-scope / out-of-scope statement.
- Controls matrix — how Hyrax implements each SOC 2 Trust Services Criterion.
- Iru control matrix — how Iru's internal control set maps to the Hyrax implementation.
- SOC 2 action items — outstanding work + annual evidence tracking.
- Launch readiness — summary of the controls implemented before launch.
What you can request
- SOC 2 status & evidence. Hyrax's Type II observation window opened 2026-06-08 (runs ~12 months, through 2027-06-08); the first Type II report issues after that window closes. In the meantime we can share the system boundary, the controls matrix, and other interim evidence under NDA. Email security@hyrax.dev or your account team.
- Article 28 DPA. Iru's data-processing agreement covers Hyrax; the third parties Hyrax relies on are disclosed as sub-processors. Standard contractual clauses (SCCs) are included where applicable.
- Sub-processor list. See Sub-processors for the authoritative catalog and the data-handling boundary at each one.
- Data handling & security. See Security for what we store, how it's protected, and how to delete it. The full data-handling, retention, and erasure description is available under NDA.
How to report a security or compliance issue
Email security@hyrax.dev. We acknowledge within one business day and aim for an initial assessment within five business days. Please give us reasonable time to remediate before public disclosure.
Standards in scope
| Standard | Status | Notes |
|---|---|---|
| SOC 2 Type II | Observation period begins 2026-06-08 | First report covers the 2026-06-08 → 2027-06-08 observation window |
| GDPR | Compliant | You are the data controller; Iru (Hyrax) acts as your data processor, with the vendors listed in Sub-processors as sub-processors. DPA and lawful-bases statement available on request |
| CCPA / CPRA | Compliant | DSAR requests honored case-by-case at launch |
| ISO 27001 | Not pursued | No active roadmap |
| HIPAA | Not in scope | Hyrax does not process PHI |