Controls are mapped for readiness review, but no SOC 2 report is published.
Complete formal audit readiness and publish approved report status only after evidence exists.Trust center for enterprise review.
Open the security, data, vendor, status, and legal review paths before procurement starts.
HexaFit publishes review artifacts and framework mapping without claiming certifications before approved evidence exists.
Trust center
Procurement proof buyers can open before legal .
HexaFit keeps security review simple: plain review areas, visible operating cadence, and downloadable architecture evidence before formal certifications are available.
Architecture, access model, data movement, and rollout review.
MappedControl frameworkSecurity review areas mapped to familiar buyer-control categories.
VisibleReview cadenceAccess review, dependency review, vendor review, and launch audit rhythm.
NamedSubprocessor pathNamed vendor register, integration scope, data role, and notification review.
LiveStatus and SLA pathLive health, public history, response targets, and incident review.
PublicCertification statusCurrent certification posture and the evidence needed before public claims appear.
Open dataDPA reviewController, processor, export, deletion, incident notice, and public data-processing packet.
Self-serve artifacts
Open the before contacting sales.
Security, data-processing, status, certification posture, and subprocessor material are available as public pages or open data so reviewers can inspect the current evidence without a private email thread. An is simply one piece of that evidence.
Architecture, access model, data movement, and rollout review summary.
Open dataSecurity artifact dataOpen evidence index for security, legal, vendor, and reliability review.
Open dataDPA review packetSelf-serve data-processing roles, commitments, review topics, and named subprocessor links.
Open dataSubprocessor registerNamed and conditional vendor list with category, purpose, data type, and status.
PageCertification statusCurrent SOC 2, ISO, PCI, and HIPAA claim status with clear evidence boundaries.
Open dataStatus historyCurrent health route, status events, response targets, and monitoring history state.
Open dataPublished proof registerPublic count and list of customer-approved proof currently published on the website.
PageDPA review topicsController/processor roles, exports, deletion, subprocessors, and incident notice topics.
Certification status
Independent certification claims stay separate from readiness work.
HexaFit shows the current readiness posture now and publishes formal certification evidence only after it is independently approved.
Security review areas are mapped to familiar control language, but no ISO certificate is published.
Publish certificate details only after an approved independent certification exists.Payment processing scope is separated through HexaPay / Payzli and reviewed per merchant account.
Confirm processor and merchant responsibilities during payment onboarding.HexaFit supports wellness and clinic workflows but does not publish a HIPAA compliance claim here.
Review clinic-specific workflow, data handling, and legal requirements before any health-data claim.Review paths
Every buyer group gets a clear next step.
Security, legal, finance, and operations can open the page that matches their question.
Access model, audit trail, data movement, API boundaries, and framework-aligned review areas.
Data protectionPrivacy, SMS data handling, DPA review, export, deletion, and incident notice topics.
Vendor reviewSubprocessors, integrations, data roles, notification path, and annual vendor review cadence.
Reliability reviewStatus path, incident communication, support targets, escalation, and launch coverage.
Status and SLA visibility
A visible health path before a formal uptime history exists.
HexaFit exposes the current health route and explains how status, incident updates, escalation, and response targets become part of the customer proposal or service terms.
Shows current health, public status events, and response-target examples for reviewer inspection.
History starts from the public monitoring surface; no pre-existing uptime percentage is invented.Proposal-defined emergency response path
Business-hours triage target in service terms
Queued support response by support plan
