Every Composite product applies the compliance rules of its vertical inside the generation process — not as an after-the-fact review. Every output ships with a verifiable trace. Audit-ready, by default.
A compliance frame is a set of rules that the vertical's industry requires — OWASP Top 10 for code, HIPAA Safeguards for clinical, MNPI handling for finance. Every Composite product applies the frames of its vertical inside the generation process. The output is shaped by the rules as it's produced.
Every call returns a complianceTrace — a verifiable record listing which rules were requested, which were enforced, and which checks passed. The trace is exportable to your audit pipeline.
{
"requestId": "req_8c2a1f",
"capability": "generate",
"vertical": "code",
"rulesRequested": ["owasp-top-10", "soc2"],
"rulesEnforced": [
"no-eval",
"parameterized-queries",
"secrets-redacted",
"auth-required",
"rate-limit-applied"
],
"checks": {
"lint": "pass",
"typecheck": "pass",
"securityReview": "pass"
},
"latencyMs": 1840
}| Data type | Retention default | Configurable on |
|---|---|---|
| Request / response bodies | 7 days (Free), 30 days (Team), 1 year (Business) | Enterprise |
| Compliance traces | Matched to body retention | Enterprise |
| Aggregate metrics | 90 days | Enterprise |
| PII inside requests | Never used for model training. Redacted in logs at edge. | Always |
| Account / billing | 7 years (regulatory) | — |
Request and response bodies are never used to train any model. This is contractual on all paid tiers and documented in the DPA.
All paid tiers receive a Data Processing Addendum (DPA) on request. Composite Clinical customers receive a Business Associate Agreement (BAA) at launch. We respond to security questionnaires within 5 business days; the most common ones (CAIQ, SIG Lite) have pre-filled templates available.
Request a trust packet →