Is Hedy SOC 2 compliant?

Hedy completed an independent SOC 2 Type I examination of its security controls in April 2026.

What HIPAA work has Hedy completed?

Hedy completed an independent HIPAA assessment as a Business Associate, covering the HIPAA Security and Breach Notification rules.

Does Hedy sign a Business Associate Agreement (BAA)?

Yes. Hedy can sign a Business Associate Agreement with organizations that require one before sharing protected health information.

What does Hedy's SOC 2 report cover?

It covers Hedy's security controls, assessed against the AICPA Trust Services Criteria for Security.

How do I get Hedy's SOC 2 report or HIPAA assessment?

The SOC 2 report and HIPAA assessment are available to customers and prospects through the Hedy Trust Center at trust.hedy.ai, or by emailing security@hedy.bot.

Is Hedy GDPR compliant?

Yes. Hedy provides a full processor-side GDPR framework, including a Data Processing Addendum, Standard Contractual Clauses, a Transfer Impact Assessment, and documented Technical and Organizational Measures, all available in the Trust Center.

Does Hedy offer EU data residency?

Yes. New users can choose European storage and AI processing during onboarding, keeping conversation data on EU servers.

Julian Pscheid · May 29, 2026

Hedy Completed SOC 2 Type I and HIPAA Assessments

Q: Does Hedy use my conversations to train AI?

No. Cloud AI analysis is transient and is never stored or used to train models, and Hedy never sells your data.

Hedy completed an independent SOC 2 Type I examination and HIPAA assessment in April 2026. Here is what that means for how your data is protected.

Glowing digital security shield with a checkmark, representing Hedy's completed SOC 2 Type I examination and HIPAA assessment

Hedy has completed an independent SOC 2 Type I examination and an independent HIPAA assessment, both finished in April 2026. For a privacy-first product built by a small team, meeting the security bar that enterprise buyers expect from much larger vendors is worth marking.

What did Hedy complete?

Two independent reviews:

SOC 2 Type I: an independent review of Hedy’s security controls.
HIPAA: an independent assessment of how Hedy handles health information as a Business Associate.

Both are independent confirmation of the privacy and security work Hedy is already built on.

What does this mean for you?

Day to day, what you rely on doesn’t change. Speech recognition runs on your device by default, and AI analysis can too. Your audio never leaves your control unless you choose to share it, cloud AI analysis stays transient and is never stored or used to train models, and we never sell your data.

What’s new is the proof. If your security review asks for SOC 2, the report is ready. If your organization needs a Business Associate Agreement before using Hedy, we can sign one.

What else protects your data?

This sits alongside everything Hedy already does to protect you: a full GDPR framework, EU data residency, and on-device speech recognition. The SOC 2 Type I report and HIPAA assessment are available to customers and prospects through our Trust Center, or reach the security team at security@hedy.bot. You can see it all on our security page.

Your most sensitive conversations deserve real protection. Now that protection is independently verified.

About the author

Julian Pscheid is the founder and CEO of Hedy AI, a real-time AI meeting coach used by tens of thousands of professionals worldwide. He writes about how AI is changing the way people prepare for, capture, and understand important conversations.

Back to News Download as PDF

Hedy Completed SOC 2 Type I and HIPAA Assessments

What did Hedy complete?

What does this mean for you?

What else protects your data?

Your next meeting is your best one yet

Hedy's Google Calendar Integration: Right-Time Reminders and Smarter Meeting Notes