Security architecture
See full design controls, cryptographic controls, and disclosure process on Security.
ANIMA Trust Center
One architecture. Two products. Defensible controls for ANIMA Verify and ANIMA Identity.
Executive summary
ANIMA is built for bot resistance and identity eligibility verification with zero-tracking architecture and explicit legal/compliance boundaries. This page is the source of truth for trust, control status, and procurement references.
Certification and framework status
| Framework | Status | Notes |
|---|---|---|
| SOC 2 Type II | Audit in progress | Target Q4 2026. |
| ISO 27001 | Gap assessment in progress | Scope documentation underway. |
| FedRAMP Low authorization | Pursuing authorization | Not currently FedRAMP authorized. |
| HIPAA | Suitable under BAA | ANIMA does not process PHI. |
| GDPR | Designed to minimize Art. 4 processing | DPIA summary available under NDA. |
| CCPA/CPRA | Aligned controls | No sale of personal information. |
Sub-processors
- Railway (application hosting)
- Lemon Squeezy (payments)
- Resend (email)
- Supabase/PostgreSQL (data storage)
- Zoho (business operations)
DPA and privacy
Incident response
72-hour GDPR breach notification target where applicable. Current target RTO 4h / RPO 1h for production incidents.
Vulnerability disclosure
See security.txt and Security policy.
Accessibility
See Accessibility statement for WCAG 2.2 AA commitment and known limitations.
Audit reports and NDA process
Control narratives, architecture dossiers, and assurance evidence are available to qualified enterprise buyers under NDA via enterprise procurement workflows.
Last updated: 2026-04-17