A–Z
14 entries
BAA (Business Associate Agreement)
А HIPAA-mandated contract between а covered entity (typically а healthcare provider) и а vendor that processes PHI on their behalf. The BAA enumerates permitted uses, security controls, breach-notification SLA и subcontractor flow-down requirements. Signing а BAA without supporting controls is а federal compliance violation.
SLAtech: SLAtech executes BAAs только on the Enterprise tier where SLA-backed single-tenant infrastructure can support the underlying control requirements. Request via [email protected].
COPPA
Children's Online Privacy Protection Act (US, 1998). Restricts collection of personal information from children under 13 без verifiable parental consent. Applies к operators of websites или online services directed к children, или those с actual knowledge of collecting from children.
SLAtech: SLAtech products are not directed к children under 13. SLAtech Education customers serving primary-school audiences must обеспечить COPPA-compliant parental-consent workflows upstream of the chatbot — typically handled by the school's existing SIS.
DPA (Data Processing Agreement)
Contract required by GDPR Article 28 between а data controller и а data processor. Specifies the nature и purpose of processing, types of personal data, duration, processor obligations (confidentiality, security, sub-processors, breach notification, audit cooperation) и data return / deletion on contract end.
SLAtech: DPA template available on signup. Custom DPAs negotiated for Enterprise tier. Standard DPA references SCC 2021/914 для transfers и enumerates all current sub-processors.
FERPA
Family Educational Rights and Privacy Act (US, 1974). Restricts disclosure of student education records by federally-funded educational institutions. Key exception: "school officials с legitimate educational interest" — under which а chatbot vendor can be covered if the contract designates them а school official.
SLAtech: SLAtech Education contracts include FERPA school-official designation language где applicable. PII (student names, IDs, grades) is redacted at ingest before LLM calls; transcripts logged only с aggregate metadata.
GDPR
General Data Protection Regulation (EU 2016/679). Regulates processing of personal data of EU residents regardless of where the controller или processor is located. Articles 6 (lawful basis), 7 (consent), 17 (right к erasure), 28 (processor obligations) и 32 (security of processing) are most relevant к chatbot vendors.
SLAtech: GDPR-compliant by default: EU-hosted infrastructure (Azure West/North Europe), DPA executed on signup для Enterprise, DSR portal в the admin platform, sub-processor list at /en/sub-processors/, SCC 2021/914 для transfers outside EEA.
HIPAA
Health Insurance Portability and Accountability Act (US, 1996). Regulates handling of protected health information (PHI) by covered entities и their business associates. Requires administrative, physical и technical safeguards: access control, audit trails, encryption at rest и in transit, breach notification within 60 days.
SLAtech: SLAtech Medical is BAA-eligible on the Enterprise tier with а single-tenant deployment option. Multi-tenant tiers (Starter/Pro) are not BAA-covered — these are appropriate для non-PHI workloads such as appointment intake before clinical context is captured.
ISO 27001
International standard for an Information Security Management System (ISMS). Annex A enumerates 93 controls across organisational, people, physical и technological domains. Certification involves а Stage 1 documentation audit + Stage 2 controls audit + annual surveillance audits. Often paired с ISO 27017 (cloud-specific) и ISO 27018 (PII в the cloud).
SLAtech: ISO 27001 certification targeted Q4 2026. ISMS scope = production infrastructure + customer-data processing systems. Statement of Applicability (SoA) available к Enterprise buyers under NDA.
NIS2
Network and Information Security Directive 2 (EU 2022/2555). Expands cybersecurity obligations к а broader set of "essential" и "important" entities including digital infrastructure и managed services. Member-state transposition deadline was October 2024; enforcement is ramping в 2026.
SLAtech: SLAtech is classified as а managed service provider under NIS2 for several Enterprise customers. Incident-notification SLA (within 24 hours для significant incidents) is reflected в the standard MSA. NIS2 risk-management documentation available к designated essential-entity customers.
PCI-DSS
Payment Card Industry Data Security Standard. Mandatory для any organisation that stores, processes или transmits cardholder data. PCI-DSS 4.0 (effective March 2025) introduces customised approach for compensating controls. SAQ-A applies к merchants that fully outsource card handling к а PCI-compliant processor.
SLAtech: SLAtech does not store, process или transmit cardholder data — payments are handled exclusively by Paddle / RewirePay (PCI-DSS Level 1 service providers). SAQ-A applies; SLAtech operates as а merchant, not а PCI entity.
PHI (Protected Health Information)
Any individually identifiable health information held или transmitted by а HIPAA covered entity или business associate. Includes 18 specific identifiers — name, address, date of birth, medical record number, biometric identifiers, photographs of face, и more. PHI redaction is а common compliance pattern для AI workloads that must run on multi-tenant infrastructure.
SLAtech: SLAtech Medical ships an ingest-time PHI redactor that masks national IDs, EU phone formats и medical record numbers before any LLM call. Redactor runs в EU infrastructure; sub-processors (OpenAI, Cohere) never see raw PHI.
SCC (Standard Contractual Clauses)
Pre-approved contract template published by the European Commission for transferring personal data from the EEA к third countries lacking an adequacy decision. The current version is 2021/914 (effective June 2021), replacing the earlier 2010/87 clauses. Schrems II ruling (CJEU C-311/18) requires supplementary transfer-impact assessments alongside SCCs.
SLAtech: Every SLAtech sub-processor transfer outside EEA (OpenAI US, Cohere Canada, Sentry US) is governed by SCC 2021/914 с transfer-impact assessment available on request.
SOC 2
Service Organization Control 2 — AICPA audit framework that evaluates а service organisation's controls against five trust services criteria: security, availability, processing integrity, confidentiality, и privacy. Type I = controls designed appropriately at а point в time; Type II = controls operating effectively over а 6-12 month period.
SLAtech: Type I report targeted Q3 2026; Type II Q2 2027. Until then, the operational controls listed at /en/security/ are independently auditable on request. Customers can request Trust Service Criteria mapping as а pre-audit gap-analysis artefact.
UPL (Unauthorized Practice of Law)
Common-law и statutory restriction limiting the practice of law к licensed attorneys. Defined narrowly varies by jurisdiction но typically includes giving legal advice, drafting legal documents и representing parties в proceedings. AI chatbots в the legal vertical face acute UPL exposure if they answer substantive legal questions без attorney review.
SLAtech: SLAtech Legal ships а UPL safeguard that routes every substantive legal question к "an attorney will follow up" rather than letting the bot answer. The bot handles intake, qualifying questions и appointment scheduling — never legal positions.
ePHI (Electronic PHI)
PHI in electronic form — what HIPAA's Security Rule actually regulates. The Security Rule mandates technical safeguards (access control, audit controls, integrity controls, transmission security) specifically для ePHI. Paper PHI falls under the Privacy Rule только.
SLAtech: All SLAtech-handled health-context data is ePHI by definition. AES-256-GCM at rest, TLS 1.2+ в transit, audit log of admin actions, role-based access control — all baseline controls implemented.
