{"updatedAt":"2026-07-01","artifacts":[{"title":"Security overview PDF","href":"/resources/hexafit-architecture-review.pdf","detail":"Architecture, access model, data movement, and rollout review summary.","format":"PDF"},{"title":"Security artifact data","href":"/api/trust/security-artifacts","detail":"Open evidence index for security, legal, vendor, and reliability review.","format":"Open data"},{"title":"DPA review packet","href":"/api/trust/dpa","detail":"Self-serve data-processing roles, commitments, review topics, and named subprocessor links.","format":"Open data"},{"title":"Subprocessor register","href":"/api/trust/subprocessors","detail":"Named and conditional vendor list with category, purpose, data type, and status.","format":"Open data"},{"title":"Certification status","href":"/certifications","detail":"Current SOC 2, ISO, PCI, and HIPAA claim status with clear evidence boundaries.","format":"Page"},{"title":"Status history","href":"/api/status/history","detail":"Current health route, status events, response targets, and monitoring history state.","format":"Open data"},{"title":"Published proof register","href":"/api/customer-proof/published","detail":"Public count and list of customer-approved proof currently published on the website.","format":"Open data"},{"title":"DPA review topics","href":"/dpa#dpa-artifacts","detail":"Controller/processor roles, exports, deletion, subprocessors, and incident notice topics.","format":"Page"}],"certifications":[{"name":"SOC 2","status":"Not certified","evidence":"Controls are mapped for readiness review, but no SOC 2 report is published.","nextStep":"Complete formal audit readiness and publish approved report status only after evidence exists."},{"name":"ISO 27001","status":"Not certified","evidence":"Security review areas are mapped to familiar control language, but no ISO certificate is published.","nextStep":"Publish certificate details only after an approved independent certification exists."},{"name":"PCI","status":"Processor-scoped","evidence":"Payment processing scope is separated through HexaPay / Payzli and reviewed per merchant account.","nextStep":"Confirm processor and merchant responsibilities during payment onboarding."},{"name":"HIPAA","status":"No public claim","evidence":"HexaFit supports wellness and clinic workflows but does not publish a HIPAA compliance claim here.","nextStep":"Review clinic-specific workflow, data handling, and legal requirements before any health-data claim."}],"subprocessors":[{"name":"HexaVox","category":"Messaging and communication","purpose":"Email delivery for website leads, demo requests, customer proof invitations, and internal notifications.","data":"Contact details, request context, consent records, and message metadata.","region":"Customer-specific configuration","status":"Configured when messaging credentials are enabled"},{"name":"Resend","category":"Messaging and communication","purpose":"Fallback email delivery when configured for website lead or proof workflows.","data":"Contact details, message content, and delivery metadata.","region":"Provider-managed","status":"Conditional"},{"name":"HexaFit Platform / HQ","category":"Core platform services","purpose":"Business signup routing, account discovery, customer proof administration, and customer workflow handoff.","data":"Business application details, account routing metadata, proof workflow records, and operating context.","region":"Environment-specific","status":"Core service"},{"name":"HexaPay","category":"Payment operations","purpose":"Payment workflow orchestration, merchant handoff, and payment-readiness review.","data":"Merchant application details, business entity information, settlement context, and payment workflow metadata.","region":"Customer-specific configuration","status":"Scoped per rollout"},{"name":"Payzli","category":"Merchant processing","purpose":"Merchant underwriting, payment processing, settlement, funding, statements, and chargeback workflows.","data":"Merchant legal entity, owner, banking, underwriting, transaction, funding, and chargeback records.","region":"Customer-specific configuration","status":"Scoped per legal entity"},{"name":"Cloudflare Turnstile","category":"Security and abuse prevention","purpose":"Human verification and abuse prevention for public signup flows when enabled.","data":"Challenge token, request metadata, and verification result.","region":"Provider-managed","status":"Conditional"},{"name":"Cloudflare","category":"DNS, edge, and security","purpose":"DNS, edge routing, TLS, and traffic protection where configured for public web properties.","data":"Request metadata, DNS records, TLS metadata, and security telemetry.","region":"Provider-managed","status":"Configured for public web operations"},{"name":"Hetzner Cloud","category":"Infrastructure","purpose":"Infrastructure provisioning and hosting operations where configured for deployment environments.","data":"Infrastructure metadata, server/network configuration, logs, and deployment operations metadata.","region":"Environment-specific","status":"Configured for infrastructure operations"}],"statusHistory":[{"date":"2026-07-01","status":"Operational","summary":"Public health check available for live review.","evidence":"/api/health"},{"date":"2026-07-01","status":"Monitoring started","summary":"Public status history surface added. No historical uptime percentage is claimed before data exists.","evidence":"/api/status/history"}],"dpaTopics":[{"title":"Role mapping","detail":"Controller, processor, subprocessor, and integration responsibilities by workflow."},{"title":"Data categories","detail":"Business account, staff, member, lead, payment-readiness, proof, and support-context data."},{"title":"Export and deletion","detail":"Customer export, deletion request, retention, and handoff expectations before signature."},{"title":"Incident notice","detail":"Notice routing, escalation owner, customer contact, and service-term alignment."},{"title":"Subprocessor changes","detail":"Named vendor review, customer-specific scope, and material-change notification path."},{"title":"Security measures","detail":"Access review, audit visibility, migration validation, vendor review, and support review cadence."}],"dpaPacket":{"roleModel":[{"role":"Customer","responsibility":"Controls business account data, staff and member operating records, customer instructions, and location policy."},{"role":"HexaFit","responsibility":"Processes customer data to provide platform, support, proof, signup, reporting, and operational workflows."},{"role":"Subprocessors","responsibility":"Provide infrastructure, communication, security, payment, or merchant-processing support under scoped vendor use."}],"commitments":["Export and deletion requests are reviewed through the customer support or enterprise review path.","Material subprocessor scope should be reviewed before production rollout and when customer-specific vendors are enabled.","Incident notice routing and support response targets are defined in the customer proposal or service terms.","Security measures are mapped publicly, while formal certifications are published only after independent evidence exists."],"selfServeLinks":[{"label":"Privacy Policy","href":"/privacy"},{"label":"Terms","href":"/terms"},{"label":"Subprocessor Register","href":"/subprocessors"},{"label":"Named Subprocessor Data","href":"/api/trust/subprocessors"},{"label":"Certification Status","href":"/certifications"},{"label":"Security Overview","href":"/resources/hexafit-architecture-review.pdf"}]}}