Compliant AI, by design

B2B SaaS trust

The Trust Services Criteria audit report every enterprise procurement team asks for. Covers security, availability, processing integrity, confidentiality, and privacy.

What Nebari does

• Control design for AI systems: model access logs, production data gating, environment segmentation
• Vendor risk assessments for LLM providers (OpenAI, Anthropic, Bedrock, Vertex)
• Evidence architecture so audits produce themselves instead of eating a quarter

US healthcare

Protects PHI (Protected Health Information). Requires technical safeguards, access controls, audit trails, and a signed BAA with every vendor that touches PHI.

What Nebari does

• PHI flow mapping across your AI pipeline — prompts, embeddings, logs, training data
• BAA chain design: which providers sign, which don't, which models are in-scope
• Redaction and de-identification at model boundaries; audit trail design for LLM calls

Healthcare, next tier

Certifiable control framework that unifies HIPAA, NIST, and ISO 27001 into one audit. Large health systems increasingly require it from vendors.

What Nebari does

• Gap assessment against HITRUST e1, i1, or r2 tier
• Control mapping for AI and data pipelines; reusing SOC 2 work where possible
• Readiness roadmap with realistic timelines (not vendor fantasy)

Education

US law protecting student education records. Governs edtech, LMS integrations, and AI tutors deployed in K–12 and higher ed.

What Nebari does

• Consent architecture using the school-official exception correctly
• Data minimization for prompts and model context windows
• Retention and deletion policies for student data in vector stores

Users under 13

FTC rule requiring verifiable parental consent before collecting personal information from children under 13. Strict on what you can log, train on, and retain.

What Nebari does

• Age-gate and verifiable-consent flow design
• Data minimization and retention policies that survive an FTC inquiry
• Special handling of content that might be used to train or fine-tune models

EU personal data

EU regulation governing personal data of EU residents. Lawful basis, subject access requests, right-to-erasure, and cross-border transfer rules.

What Nebari does

• Lawful-basis assessment for each AI feature (not a blanket 'legitimate interest')
• DSAR fulfillment design that actually works across LLM logs and embeddings
• Cross-border transfer posture (SCCs, DPF, adequacy) for your model provider stack

California consumers

California privacy law with teeth. Right to know, delete, correct, opt out of sale/share, and limit the use of sensitive personal information.

What Nebari does

• Global Privacy Control signal handling across AI-powered surfaces
• Sensitive data classification for prompts, outputs, and stored context
• Deletion propagation through vector stores, cached completions, and fine-tune data

Payment card data

Mandatory standard for anyone storing, processing, or transmitting cardholder data. Strict on network segmentation, encryption, logging, and change control.

What Nebari does

• Keeping AI and LLM flows out of PCI scope via tokenization at the boundary
• Redaction design for support assistants and agents that might see card data
• Scope-reduction strategy so your AI roadmap doesn't drag your whole platform into PCI