Dissertatiodissertatio

For Institutions · Procurement

The procurement pack, itemized.

Everything your review board, IT security, and DPO ask for — prepared before the questionnaire arrives, and honest about what ships today versus what is on the roadmap. Request any item from the contact below.

Procurement should be the boring part of adopting a new tool. We keep the answers current so a pilot is a decision, not a project — and we badge every item so your review is based on the product as it is, not as a datasheet wishes it were. The public control set lives on the Security page; anything below marked on request is a reply away from institutions@hashtagai.io.

Available now or on request In progress On the roadmap, not yet certified

Legal & data protection

Contracts and data protection.

  • Data Processing Agreement (DPA)

    Available on request

    A GDPR Article 28 DPA naming Hashtag AI Labs as processor, with the institution as controller. Institutional riders and amendments are reviewed case by case with our counsel — send yours with the first questionnaire.

  • Security questionnaire pack

    Available on request

    Prepared responses to the standard IT security questionnaires (SIG Lite, HECVAT-style, and vendor-specific forms), kept current so a review is a read-through rather than a round-trip.

  • Sub-processor list

    Available today

    The full list — cloud infrastructure, AI model provider, payments — is published openly on the Security page, with advance notice to admins before any change.

  • AI data-handling statement

    Available on request

    The no-training guarantee, per-manuscript logging, and workspace-level admin controls, written for research-integrity boards and DPOs to review.

Technical & security

How the system is built and secured.

  • Architecture & data-flow diagram

    Available on request

    How a manuscript moves through the system — storage, processing, backups, and exactly what an AI check can and cannot read — as a diagram your reviewers can annotate.

  • Data residency attestation

    Available today

    All customer data, including backups, is stored and processed in AWS eu-west-1 (Ireland). Residency does not change with scale, and we will attest to it in writing.

  • Encryption & access-control summary

    Available on request

    Encryption in transit and at rest, strict workspace isolation, role-based access, and append-only audit logging — described at the level an IT security review needs.

  • Identity roadmap (SAML SSO, SCIM)

    Roadmap

    Pilots run on ORCID sign-in and email invites today. SAML 2.0 SSO and SCIM provisioning are in development and marked as roadmap here and everywhere else — we will not describe them as shipped until they are.

Compliance & accessibility

Certifications and standards.

  • SOC 2

    Roadmap

    Our controls are designed against the SOC 2 Trust Services Criteria from day one, and a Type II audit is on the compliance roadmap. We share current security documentation now, and will share the report when it exists — not before.

  • Accessibility — WCAG 2.2 AA

    In progress

    We build to the WCAG 2.2 AA target — semantic landmarks, full keyboard paths, focus management, and 4.5:1 contrast — and are working toward a published conformance statement. We will tell you honestly where a surface is not there yet.

  • GDPR alignment

    Available today

    EU data residency, a signed DPA for institutional plans, documented sub-processors, and data-subject rights — access, export, deletion — handled as product features rather than ticket queues.

  • Support & service terms

    Available on request

    Response targets, escalation paths, and a review cadence for institutional customers, provided in writing rather than as best effort.

Our commitment

We mark the roadmap as the roadmap.

SOC 2 Type II and a published WCAG 2.2 AA conformance statement are things we are working toward, not things we claim today — and you will find them badged that way here, on the Security page, and in every questionnaire we answer. A vendor that is honest about what it has not finished is easier to trust with what it has. When a control ships or a certification lands, institutional customers hear it in a service review.

Send us your questionnaire.

Tell us about your labs, your identity setup, and your procurement process — we reply with the pack and a pilot proposal within two business days.