Regulatory Compliance
Heard is designed from the ground up for companies in regulated industries — healthcare, financial services, legal, and insurance. This page maps Heard’s security features to specific regulatory requirements.
HIPAA (Healthcare)
Section titled “HIPAA (Healthcare)”| Requirement | How Heard Addresses It |
|---|---|
| PHI must not be exposed to unauthorized systems | PII scrubbing pipeline anonymizes patient names, MRNs, and clinical data before it reaches the AI brain. Configure via Settings → PII Settings → Healthcare (HIPAA) preset. |
| Minimum necessary access | LangGraph reasons on anonymized data only. Real values are re-associated in-memory during execution and never persisted. |
| Administrative safeguards | Advisory-Only mode (Level 0) — AI recommends but never executes. All actions require explicit human sign-off. |
| Audit controls | Every scrub operation logged with SHA-256 hashes. Every AI decision traced end-to-end via LangSmith. |
| Data residency | Edge PII execution keeps PHI within the customer’s container — data is anonymized before it reaches the cloud. |
PCI-DSS (Financial Services)
Section titled “PCI-DSS (Financial Services)”| Requirement | How Heard Addresses It |
|---|---|
| Cardholder data must not be stored | Credit card numbers, CVVs, and financial identifiers are scrubbed before reasoning. Configure via Financial (PCI-DSS) preset. |
| Secure credential handling | API keys and secrets are injected at runtime via OpenShell Providers — never written to the agent’s filesystem. |
| Access control | Four-role RBAC. MCP server access is team-scoped — only designated teams access financial tool integrations. |
| Audit trail | Complete trace for every tool call, including MCP calls to payment systems. |
SOC 2 Type II
Section titled “SOC 2 Type II”| Criteria | How Heard Addresses It |
|---|---|
| Security | OpenShell sandbox with kernel-level isolation. Network egress restricted to approved endpoints only. |
| Availability | Always-on containers with health monitoring and automatic restart. |
| Processing Integrity | Every AI decision is traceable. Workflows execute as deterministic, auditable pipelines. |
| Confidentiality | Team-scoped data access. Playbook isolation prevents cross-team context leakage. PII scrubbed before reasoning. |
| Privacy | Configurable PII sensitivity levels. The AI only processes anonymized representations. |
GDPR (EU Data Protection)
Section titled “GDPR (EU Data Protection)”| Requirement | How Heard Addresses It |
|---|---|
| Data minimization (Art. 5) | Configurable PII scrubbing — only necessary data reaches the AI. |
| Right to erasure (Art. 17) | Customer records, dossiers, and transcripts can be purged via API. Deletion cascades through all downstream records. |
| Data residency (Art. 44+) | OpenClaw containers can be deployed in specific cloud regions. Local data stays within jurisdictional boundaries. |
| Lawful processing (Art. 6) | Full transparency into AI reasoning. Advisory-Only mode available for contexts where consent boundaries apply. |
Feature Cross-Reference
Section titled “Feature Cross-Reference”| Heard Feature | HIPAA | PCI-DSS | SOC 2 | GDPR |
|---|---|---|---|---|
| PII scrubbing pipeline | ✅ | ✅ | ✅ | ✅ |
| Configurable sensitivity presets | ✅ | ✅ | ✅ | |
| Advisory-Only mode | ✅ | ✅ | ||
| LangSmith audit tracing | ✅ | ✅ | ✅ | |
| RBAC (4 roles, team-scoped) | ✅ | ✅ | ||
| OpenShell sandbox isolation | ✅ | ✅ | ||
| Edge PII execution | ✅ | ✅ | ||
| Data residency controls | ✅ | ✅ | ||
| Customer data deletion API | ✅ |
Related Pages
Section titled “Related Pages”- Security & Data Privacy — Encryption, tenant isolation, RBAC, audit trails
- PII Settings — Configure scrubbing sensitivity for your industry
- HITL Rules — Set Advisory-Only mode and approval requirements