Trust Center
GoodHelp Constitution
Your GoodHelp Constitution is the rules your agents work by — and the proof they followed them. This Trust Center is where you inspect both: a tamper-evident record of what every AI agent did, why, and on whose authority. The eight controls below are the load-bearing pieces — the rules on one side, the proof on the other.
The rules your agents work by
What each agent is configured to do — which tools, on whose authority, and with what data — checked server-side at decision time. All shipped today.
| Control | How it works | Status |
|---|---|---|
| Per-agent runtime policies | Each agent runs against a declarative policy: allow-listed tools, per-run cost cap, external-comms allow-list, and approval gates. Policy violations short-circuit the tool call before any side effect. | Shipped |
| Separation-of-duties (SoD) approvals | Sensitive agent changes require a second-party approval. The OWNER/ADMIN who edited the agent cannot also approve the change, enforced server-side at decision time. | Shipped |
| PII redaction | A regex-based redactor runs at audit-log write time on the recorded action parameters and outcomes, so detected SSNs, account numbers, and free-text PII are replaced with type-preserving placeholders in your tamper-evident log and evidence exports. Coverage follows your compliance profile — the Regulated Industry profile forces it on and extends it to email and phone. | Shipped |
| Compliance profile flip | Switching an org to the Regulated Industry profile raises retention to 7 years, forces PII filtering ON, and pins the audit signing version. The flip is itself an audit event. | Shipped |
The proof they followed them
A tamper-evident record of what every agent actually did, why, and on whose authority — yours to inspect, export, and verify offline. All shipped today.
| Control | How it works | Status |
|---|---|---|
| Tamper-evident audit log | Every agent action is appended to a per-org hash-chained audit log rooted in a Google Cloud KMS-managed signing key. Any retroactive edit breaks the chain and is detectable by replay. | Shipped |
| KMS-rooted signing | All audit signatures derive from a Cloud KMS-managed signing key. Key rotation is supported and previous signature versions remain verifiable indefinitely against archived public material. | Shipped |
| Evidence export | OWNERs can export a signed evidence pack for any date range — JSON manifest plus body (CSV/TSV/JSON), KMS-rooted signing key — suitable for auditor handoff or regulator request. Verify offline with the published public key. | Shipped |
| Retention sweep | Runs daily. Enumerates records past the org’s retention horizon and logs every action to the ledger. Defaults to dry-run per-org; flip to live-delete is operator-controlled and itself logged with a tombstone entry once enabled. | Shipped |
What we do not claim
Honest > shiny. Where we don't yet have the certification or the property, we don't claim it.
- ❌ CMMC
- ❌ FedRAMP
- ❌ ITAR
- ❌ GovCloud
- ❌ SOC 2 (in progress; not certified)
- ❌ DCAA-certified
- ❌ "Immutable" (we say tamper-evident)
- ❌ "Blockchain" (we say hash-chained, append-only)
Stripe & PCI posture
Payments are processed via Stripe Checkout. Cardholder data (PAN) never touches our infrastructure; Stripe Checkout handles the entire card-capture surface. We hold a Stripe customer id and a subscription id, nothing more.
Regulatory posture
DCAA-aligned controls. Not DCAA-certified — we map our controls to DCAA requirements. If your contracting officer or prime needs a specific control mapping, our compliance team can share the current crosswalk on request.
Subprocessors
The third parties that touch customer data in the course of normal operations.
| Vendor | Use |
|---|---|
| GCP | Primary cloud, KMS, storage, Firestore. |
| Temporal Cloud | Workflow orchestration. |
| Anthropic | Claude family models. |
| OpenAI | GPT family models. |
| Firebase | Auth + client-side state for the admin app. |
| Stripe | Payments (Stripe Checkout; no PAN on our infra). |
| SendGrid | Transactional and inbound email. |
| Mercury | Customer banking integrations (read-only via OAuth where used). |
Contact
Security reports, compliance questions, and auditor crosswalk requests all reach our security team.
Last reviewed against the shipped product: June 14, 2026