Security and Compliance

Compliance

Extend maintains enterprise-grade security controls across all deployment options. Full documentation is available in our Trust Center.

SOC 2

We maintain controls aligned with SOC 2 Type II requirements. Reports and security documentation are available in the Trust Center.

HIPAA

Extend is HIPAA compliant and supports healthcare organizations processing protected health information (PHI).

  • We can execute Business Associate Agreements (BAAs).
  • HIPAA-compliant processing is available across all deployments (us1, us2, eu1) and deployment models described in Deployment Options.

Contact sales to discuss BAA requirements or enable HIPAA for your organization.

Filing a HIPAA complaint

If you believe we have mishandled PHI or violated our HIPAA policies, email support@extend.ai with:

  • Subject line: HIPAA Complaint
  • Your name and contact information
  • A description of the concern, including relevant dates or context

We acknowledge complaints within 3 business days and aim to respond within 30 days, unless additional time is needed for investigation.

GDPR

Extend is GDPR compliant and supports customers who need to process personal data subject to European data protection requirements.

  • eu1 stores and processes customer document data within the EU (primary infrastructure in Frankfurt, AWS eu-central-1).
  • Operational telemetry that does not include document content (for example, error and performance monitoring) may be processed by vendors outside the EU.

For how we store, retain, and delete data, see Data Handling.