Skip to main content

Compliance

Hyrax is built and operated by Iru. Hyrax is in scope as an additional product under Iru's SOC 2 Type II program: the audit report is issued by Iru, and Hyrax is the technical scope inside it. Evidence collection accrues from the start of the Type II observation period on 2026-06-08 (customer launch was 2026-06-01).

Scope at a glance: the SOC 2 system is the Hyrax production environment only; non-production environments are outside the boundary and do not process production customer data.

Auditor-facing artifacts (available under NDA — request via security@hyrax.dev):

  • System boundary — explicit in-scope / out-of-scope statement.
  • Controls matrix — how Hyrax implements each SOC 2 Trust Services Criterion.
  • Iru control matrix — how Iru's internal control set maps to the Hyrax implementation.
  • SOC 2 action items — outstanding work + annual evidence tracking.
  • Launch readiness — summary of the controls implemented before launch.

What you can request

  • SOC 2 status & evidence. Hyrax's Type II observation window opened 2026-06-08 (runs ~12 months, through 2027-06-08); the first Type II report issues after that window closes. In the meantime we can share the system boundary, the controls matrix, and other interim evidence under NDA. Email security@hyrax.dev or your account team.
  • Article 28 DPA. Iru's data-processing agreement covers Hyrax; the third parties Hyrax relies on are disclosed as sub-processors. Standard contractual clauses (SCCs) are included where applicable.
  • Sub-processor list. See Sub-processors for the authoritative catalog and the data-handling boundary at each one.
  • Data handling & security. See Security for what we store, how it's protected, and how to delete it. The full data-handling, retention, and erasure description is available under NDA.

How to report a security or compliance issue

Email security@hyrax.dev. We acknowledge within one business day and aim for an initial assessment within five business days. Please give us reasonable time to remediate before public disclosure.

Standards in scope

StandardStatusNotes
SOC 2 Type IIObservation period begins 2026-06-08First report covers the 2026-06-08 → 2027-06-08 observation window
GDPRCompliantYou are the data controller; Iru (Hyrax) acts as your data processor, with the vendors listed in Sub-processors as sub-processors. DPA and lawful-bases statement available on request
CCPA / CPRACompliantDSAR requests honored case-by-case at launch
ISO 27001Not pursuedNo active roadmap
HIPAANot in scopeHyrax does not process PHI