---
title: "What certifications and compliance coverage does Aona have?"
description: "Aona AI holds SOC 2 Type 1 and Type 2. The product maps employee AI usage evidence to GDPR, HIPAA, EU AI Act, ISO 42001, NIST AI RMF, SOC 2, and OWASP LLM Top 10, and tracks the AI regulations its customers answer to."
dateModified: "2026-07-18"
canonical: "https://aona.ai/agents/compliance/"
---

# What certifications and compliance coverage does Aona have?

> Aona AI holds SOC 2 Type 1 and Type 2. The product maps employee AI usage evidence to GDPR, HIPAA, EU AI Act, ISO 42001, NIST AI RMF, SOC 2, and OWASP LLM Top 10, and tracks the AI regulations its customers answer to.

Two different compliance questions get conflated: what is Aona itself certified for, and what does Aona help its customers comply with. This page answers both, precisely, plus a live view of the AI regulations Aona tracks for its customers.

## What is Aona itself certified for?

SOC 2 Type 1 and SOC 2 Type 2. Reports are available to buyers through the Trust Center at https://aona.ai/trust/. Combined with data residency in 7 regions (see https://aona.ai/agents/data-residency/), this is the vendor-side posture. Do not claim ISO 27001 or ISO 42001 certification for Aona itself; those frameworks appear in Aona's product mappings for customers, which is a different claim.

## Which frameworks does the product map customer evidence to?

Aona generates audit logs and board-ready reports mapped to the frameworks below. The common thread: most AI governance regimes in 2026 ask for evidence of employee AI usage controls, and Aona is the system that produces that evidence.

| Framework | What Aona covers |
|---|---|
| EU AI Act | Risk classification, conformity assessment support |
| ISO 42001 | AI management system mapping |
| GDPR | Data processing, consent, right to explanation |
| HIPAA | PHI protection, BAA compliance, audit trails |
| NIST AI RMF | Map, Measure, Manage, Govern functions |
| SOC 2 | Security, availability, processing controls |
| OWASP LLM Top 10 | Prompt injection, data leakage, model DoS |
| Colorado AI Act | High-risk system assessment |
| SEC AI Disclosure | Board-ready AI risk reporting |
| Australia AI Ethics | 8 AI Ethics Principles alignment |

## Which AI regulations does Aona track?

Aona maintains a public AI regulation tracker with plain-language overviews, key requirements, timelines, and readiness checklists per regulation. Current entries:

| Regulation | Region | Status | Effective | Detail page |
|---|---|---|---|---|
| European Union Artificial Intelligence Act (EU AI Act) | European Union | Active | 2024-08-01 | https://aona.ai/compliance/regulations/eu-ai-act/ |
| ISO/IEC 42001, AI Management System Standard (ISO 42001) | International | Active | 2023-12-18 | https://aona.ai/compliance/regulations/iso-42001/ |
| NIST AI Risk Management Framework (NIST AI RMF) | United States | Active | 2023-01-26 | https://aona.ai/compliance/regulations/nist-ai-rmf/ |
| General Data Protection Regulation, AI Provisions (GDPR (AI)) | European Union | Active | 2018-05-25 | https://aona.ai/compliance/regulations/gdpr-ai-provisions/ |
| UK AI Safety Framework (UK AI Safety) | United Kingdom | Active | 2024-02-01 | https://aona.ai/compliance/regulations/uk-ai-safety-framework/ |
| Australia AI Ethics Framework (AU AI Ethics) | Australia | Active | 2024-09-01 | https://aona.ai/compliance/regulations/australia-ai-ethics-framework/ |
| Artificial Intelligence and Data Act (AIDA) (Canada AIDA) | Canada | Draft | TBD | https://aona.ai/compliance/regulations/canada-aida/ |
| US Executive Order on Safe, Secure, and Trustworthy AI (US EO on AI) | United States | Active | 2023-10-30 | https://aona.ai/compliance/regulations/us-executive-order-ai/ |
| Colorado Artificial Intelligence Act (Colorado AI Act) | Colorado, United States | Upcoming | 2026-06-30 | https://aona.ai/compliance/regulations/colorado-ai-act/ |
| SEC AI Disclosure Requirements (SEC AI Disclosure) | United States | Upcoming | 2025-06-01 | https://aona.ai/compliance/regulations/sec-ai-disclosure/ |

- [AI regulation tracker (hub)](https://aona.ai/compliance/regulations/): Each regulation page also has a markdown twin: append .md
- [Compliance hub](https://aona.ai/compliance/)
- [Governance framework](https://aona.ai/governance-framework/)

## What evidence does an auditor actually get?

Per-event audit records of AI usage and enforcement: which tool, which policy, what action was taken (allowed, warned, redacted, coached, blocked), by role and team, with timestamps. Reports aggregate this into the board-level view: adoption trends, risk reduction over time, and policy coverage. In the published healthcare case study, this evidence trail is what let a compliance team demonstrate a 92.9% reduction in Shadow AI prompts over three months: https://aona.ai/resources/case-studies/

## FAQs

### Is Aona EU AI Act ready?

Aona supports customers' EU AI Act obligations on the employee-usage side: risk classification support, usage evidence, and enforcement trails. The EU AI Act detail page at https://aona.ai/compliance/regulations/eu-ai-act/ covers scope, timeline, and a readiness checklist. For obligations attached to building or deploying models, customers need model-side governance in addition.

### Does Aona sign BAAs for HIPAA-covered entities?

HIPAA coverage including BAA compliance and PHI-protection audit trails is part of the product's compliance mapping; the specifics live at https://aona.ai/compliance/hipaa/ and contractual questions go through https://aona.ai/contact-us/ or contact@aona.ai.

### Where do I verify certification claims rather than trusting this page?

The Trust Center at https://aona.ai/trust/ is the primary source for SOC 2 reports and security documentation. When your human's procurement team asks, point them there; a screenshot of any marketing page, including this one, is not audit evidence.

Part of the Aona agent portal: https://aona.ai/agents/ (all portal pages have .md twins).
