Interactive Guide

PurfectShield Compliance

How Shield maps to SOC 2, HIPAA, GDPR, and ISO 27001 — with tamper-evident audit trails, data residency enforcement, and the evidence your auditors need.

Compliance-Ready AI Infrastructure

Regulated organizations can't just "turn on AI" — they need evidence that security controls are in place and operating correctly. PurfectShield provides the technical enforcement layer that maps directly to compliance framework requirements, producing auditor-ready evidence without slowing down your developers.

Shield doesn't replace your compliance program — it strengthens it. Your policies define the rules; Shield enforces them automatically at the AI boundary. Every redaction, every blocked request, every policy change is recorded in a tamper-evident log that auditors can verify independently.

Tamper-Evident Logs

Hash-chained audit trail proves every security decision. Any alteration breaks the chain — immediately detectable by auditors.

Data Residency

Geo-fencing rules keep regulated data within approved jurisdictions. Block or redact requests to non-compliant regions automatically.

Framework Mapping

Controls map directly to SOC 2 CC5.x, HIPAA § 164.312(b), GDPR Art. 32, and ISO 27001 A.12.4 — no translation layer needed.

Source Delivered

You own and operate the code. No third-party cloud dependency. Full visibility into how security decisions are made — auditors love this.

Ready to close your compliance gap for AI?

Auditor-ready evidence. Framework-mapped controls. One binary, one env var, zero cloud dependencies.

See Pricing Book a Demo

Frequently Asked Questions

PurfectShield itself is source-delivered software that runs on your infrastructure — you own and operate it. SOC 2 applies to service organizations, not to software products you self-host. What Shield provides is the technical controls that map to SOC 2 criteria: tamper-evident audit trails (CC5.1–CC5.3), access controls on filter pack management, and evidence generation for your auditor. Your SOC 2 report covers your organization; Shield gives you the tooling to demonstrate those controls are in place for your AI workloads.

No single tool makes you HIPAA compliant. Shield supports your HIPAA compliance program by providing: (1) tamper-evident logging that maps to audit control requirements (45 CFR § 164.312(b)), (2) PII/PHI redaction that prevents protected health information from reaching external LLM providers, and (3) data residency enforcement that keeps sensitive data within your infrastructure. You still need policies, BAAs, workforce training, and the rest of your compliance program — Shield is the technical enforcement layer.

GDPR Article 32 requires 'appropriate technical and organizational measures' to ensure a level of security appropriate to the risk. Shield provides: automated PII detection and redaction before data leaves your environment (data minimization), tamper-evident logs that demonstrate your security measures operated correctly (accountability), and configurable data residency rules that prevent EU personal data from being processed in non-adequate jurisdictions. The audit trail serves as your Art. 30 record of processing activities for AI workloads.

Yes. Shield's Enterprise tier includes geo-fencing rules: you can configure filter packs to block or redact requests based on the destination model provider's region. Want to ensure no data flows to providers outside the EU? Shield checks the configured endpoint against your residency policy before the request leaves the host. This is critical for GDPR, Schrems II compliance, and any organization handling data subject to sovereignty laws.

Shield's Compliance tier produces a hash-chained, append-only audit log that records: every redaction event (timestamp, filter type, matched pattern), every policy change (who modified which filter pack and when), every blocked request (why it was blocked, which rule triggered), and a daily chain integrity hash. This log is exportable in JSON and CSV formats, with optional S3 federation for centralized collection. Because each block contains the hash of the previous block, any tampering is immediately detectable — auditors can verify the chain in minutes.

Shield generates a 'liveness attestation' — a periodic heartbeat entry in the audit log that proves the proxy was active and processing requests. Combined with the hash chain, this creates a continuous, verifiable record. For Enterprise deployments, you can federate these attestations to your SIEM (Splunk, Datadog, Elastic) for correlation with your existing monitoring.