Back to Shiftify

Trust Center

Trust, security & compliance at Shiftify.

A single source of truth for what ships today, the infrastructure that backs it, the frameworks we're building toward, and how we handle AI. Plain-spoken, honest about what's certified and what isn't.

Building toward independent attestation. No certifications held today.

01 · What ships today

Real controls. Live in production.

These controls protect customer data on the Shiftify platform today. They are not aspirational and do not depend on a future audit.

Encryption everywhere

TLS 1.2+ in transit and AES-256 at rest. Application-layer field encryption on the most sensitive PII.

MFA & role-based access

MFA on every account. Least-privilege roles enforced server-side. Permissions are domain-scoped and reviewable.

Full audit trail

Every domain emits structured, append-only audit events. Tamper-evident, retention-tagged, query-ready for evidence requests.

Secure development life cycle

Branch protection, mandatory code review, signed releases. Dependency and secrets scanning on every change.

02 · Infrastructure & sub-processors

What we run on, who we trust, what's signed.

Shiftify is built on top of independently certified infrastructure. The certifications below belong to those providers, not to Shiftify. Shiftify-level certifications are on the roadmap.

Provider Role Certifications BAA
Google Cloud Platform US regions Compute, storage, identity, encryption, audit logging SOC 1 / 2 / 3 · ISO 27001 · ISO 27017 · ISO 27018 · ISO 27701 · ISO 42001 · HIPAA-eligible · PCI DSS · FedRAMP Signed
Google Workspace US regions Internal email, documents, identity, device management SOC 1 / 2 / 3 · ISO 27001 · ISO 27017 · ISO 27018 · ISO 27701 · HIPAA · FedRAMP Signed
GitHub Enterprise Source & CI Source control, branch protection, code review, deployment governance SOC 1 / 2 Type II · ISO 27001 N/A — no PHI

Sub-processor changes will be published here at least 30 days before they take effect. To subscribe to change notifications, see Report a concern.

03 · Framework posture

Where we are, where we're heading.

Shiftify holds no certifications today. Each framework below describes posture and design intent, with a target window for independent attestation.

SOC 2 Type II

Security, Availability, Confidentiality, Processing Integrity, Privacy. Trust Services Criteria 2017 (rev. 2022).

Target observation window: 2026

Building toward readiness

ISO/IEC 27001:2022

Information Security Management System covering Annex A controls applicable to a regulated SaaS platform.

Target: post-SOC 2

Roadmap

ISO/IEC 42001:2023

AI Management System covering bounded agent design, evaluation, monitoring, and human accountability.

Target: alongside ISO 27001

Roadmap

HIPAA

Healthcare data handling. BAA in place with Google for the underlying platform; Shiftify-level controls designed against HIPAA Security Rule.

Designing toward, with BAA-covered infrastructure

Aligned by design

GDPR

EU General Data Protection Regulation. Data subject rights, lawful basis, processor obligations, and cross-border transfer mechanisms designed in from day one.

Designing toward, ahead of EU customer demand

Aligned by design

EU AI Act

Risk-tiered AI governance. Bounded agent scope, human oversight on high-risk decisions, transparency, and post-market monitoring align with the obligations for limited- and high-risk AI systems.

Tracking phased enforcement, 2025 to 2027

Roadmap

04 · How we use AI

Bounded agents. Human-accountable decisions.

Shiftify uses AI to accelerate the right decisions, not to replace the people who make them. The principles below govern every AI-driven feature on the platform.

AI agents on Shiftify recommend, route, and surface insight. They do not unilaterally approve hires, terminate placements, or change pay rates. High-risk decisions sit with a named human, by design.

  • Bounded scope. Each agent operates inside a documented capability, with explicit allow-lists for what it can read and write.
  • Human accountability on high-risk decisions. Hire, fire, pay, and credential decisions require a named human approver.
  • Reviewable outputs. Every model invocation logs its inputs, prompts, model version, and output for evidence and dispute.
  • Eval before launch. New agents pass a structured evaluation against representative cases before they reach production.
  • No training on customer data. Customer data is not used to train third-party foundation models.

05 · Reporting a concern & getting in touch

If you see something, tell us.

Security researchers, customers, and the public can report a concern through the channels below. We acknowledge every report and respond within five business days.

Security & vulnerability disclosure

Report a suspected vulnerability, data exposure, or security concern. Coordinated disclosure preferred.

security@shiftify.us →

Privacy & data subject requests

Access, correction, deletion, or portability requests for personal data Shiftify processes.

privacy@shiftify.us →

Compliance & audit inquiries

Customer due diligence, security questionnaires, evidence requests, BAA paperwork.

compliance@shiftify.us →

Sub-processor change notifications

Subscribe to receive 30-day advance notice whenever Shiftify adds, changes, or removes a sub-processor.

trust@shiftify.us →