For Institutions · Procurement
The procurement pack, itemized.
Everything your review board, IT security, and DPO ask for — prepared before the questionnaire arrives, and honest about what ships today versus what is on the roadmap. Request any item from the contact below.
Procurement should be the boring part of adopting a new tool. We keep the answers current so a pilot is a decision, not a project — and we badge every item so your review is based on the product as it is, not as a datasheet wishes it were. The public control set lives on the Security page; anything below marked on request is a reply away from institutions@hashtagai.io.
Legal & data protection
Contracts and data protection.
Data Processing Agreement (DPA)
Available on requestA GDPR Article 28 DPA naming Hashtag AI Labs as processor, with the institution as controller. Institutional riders and amendments are reviewed case by case with our counsel — send yours with the first questionnaire.
Security questionnaire pack
Available on requestPrepared responses to the standard IT security questionnaires (SIG Lite, HECVAT-style, and vendor-specific forms), kept current so a review is a read-through rather than a round-trip.
Sub-processor list
Available todayThe full list — cloud infrastructure, AI model provider, payments — is published openly on the Security page, with advance notice to admins before any change.
AI data-handling statement
Available on requestThe no-training guarantee, per-manuscript logging, and workspace-level admin controls, written for research-integrity boards and DPOs to review.
Technical & security
How the system is built and secured.
Architecture & data-flow diagram
Available on requestHow a manuscript moves through the system — storage, processing, backups, and exactly what an AI check can and cannot read — as a diagram your reviewers can annotate.
Data residency attestation
Available todayAll customer data, including backups, is stored and processed in AWS eu-west-1 (Ireland). Residency does not change with scale, and we will attest to it in writing.
Encryption & access-control summary
Available on requestEncryption in transit and at rest, strict workspace isolation, role-based access, and append-only audit logging — described at the level an IT security review needs.
Identity roadmap (SAML SSO, SCIM)
RoadmapPilots run on ORCID sign-in and email invites today. SAML 2.0 SSO and SCIM provisioning are in development and marked as roadmap here and everywhere else — we will not describe them as shipped until they are.
Compliance & accessibility
Certifications and standards.
SOC 2
RoadmapOur controls are designed against the SOC 2 Trust Services Criteria from day one, and a Type II audit is on the compliance roadmap. We share current security documentation now, and will share the report when it exists — not before.
Accessibility — WCAG 2.2 AA
In progressWe build to the WCAG 2.2 AA target — semantic landmarks, full keyboard paths, focus management, and 4.5:1 contrast — and are working toward a published conformance statement. We will tell you honestly where a surface is not there yet.
GDPR alignment
Available todayEU data residency, a signed DPA for institutional plans, documented sub-processors, and data-subject rights — access, export, deletion — handled as product features rather than ticket queues.
Support & service terms
Available on requestResponse targets, escalation paths, and a review cadence for institutional customers, provided in writing rather than as best effort.
Our commitment
We mark the roadmap as the roadmap.
SOC 2 Type II and a published WCAG 2.2 AA conformance statement are things we are working toward, not things we claim today — and you will find them badged that way here, on the Security page, and in every questionnaire we answer. A vendor that is honest about what it has not finished is easier to trust with what it has. When a control ships or a certification lands, institutional customers hear it in a service review.
Send us your questionnaire.
Tell us about your labs, your identity setup, and your procurement process — we reply with the pack and a pilot proposal within two business days.
