SOC 2 & HIPAA Compliance for Hosted AI Agents
April 18, 2026·16 min read
AI agents process sensitive data, execute tool calls, and interact with external services autonomously. If you’re hosting agents that touch healthcare data or enterprise workloads, SOC 2 Type II and HIPAA compliance aren’t optional — they’re table stakes. This guide covers the controls, architecture, and checklists you need, with production code for both OpenClaw and Hermes Agent.
TL;DR
SOC 2 HIPAA AI agents compliance requires five pillars: encryption (AES-256 at rest, TLS 1.3 in transit), access control (RBAC + least-privilege), audit logging (immutable, 6-year retention for HIPAA), data residency (region-locked storage and inference), and a signed BAA for any PHI workload. This post includes implementation code for OpenClaw and Hermes, compliance checklists, and architecture patterns. Rapid Claw handles infrastructure-level controls out of the box — Enterprise plans include a BAA.
Need compliance-ready AI agent hosting?
Try Rapid ClawTable of Contents
1. Why SOC 2 & HIPAA Matter for AI Agent Platforms
Traditional SaaS applications handle data through well-understood request-response patterns. AI agents are different. They operate autonomously — making tool calls, accessing external APIs, reading files, and generating outputs without human approval for each action. This autonomy creates a fundamentally larger attack surface and a more complex compliance story.
Consider what an AI agent running on a healthcare platform might do in a single session: read patient records from an EHR system, query a drug interaction database, generate a summary document, and email it to a physician. Each of those steps involves PHI, and each needs to be encrypted, logged, access-controlled, and auditable. If any step leaks data or fails to log properly, you have a HIPAA violation.
SOC 2 Type II and HIPAA compliance aren’t just checkboxes — they’re the minimum bar for enterprise and healthcare customers. Without them, you won’t pass procurement review, and you shouldn’t be handling sensitive data. If you’re building on OpenClaw or Hermes Agent and targeting regulated industries, this guide is your roadmap.
For foundational security concepts, see our guide on AI agent observability and the OpenClaw security hardening checklist.
2. SOC 2 Type II: The Five Trust Service Criteria
SOC 2 is an auditing framework developed by the AICPA. Type I evaluates controls at a single point in time; Type II evaluates them over a sustained period (typically 6–12 months). For AI agent platforms, Type II is what matters because it proves your controls work consistently — not just that they exist on paper.
The five Trust Service Criteria (TSC) map directly to AI agent platform requirements:
| Criteria | AI Agent Implication | Key Controls |
|---|---|---|
| Security | Agent sandboxing, network isolation, authentication | mTLS, RBAC, container isolation |
| Availability | Agent uptime, failover, graceful degradation | Health checks, auto-restart, multi-AZ deployment |
| Processing Integrity | Tool calls execute correctly, outputs are deterministic | Input validation, output verification, idempotency |
| Confidentiality | Agent memory, conversation logs, API keys | Encryption at rest, key management, data classification |
| Privacy | PII handling, data retention, user consent | Data minimization, retention policies, access logging |
The key difference between SOC 2 for a traditional web app and SOC 2 for an AI agent platform is autonomy scope. An agent doesn’t just respond to user input — it makes decisions, calls tools, and generates side effects. Your SOC 2 controls must account for what the agent can do unprompted, not just what the user asks it to do.
3. HIPAA Fundamentals for AI Agent Hosting
HIPAA (Health Insurance Portability and Accountability Act) protects Protected Health Information (PHI) — any individually identifiable health data. When an AI agent processes PHI, both the platform hosting the agent and the organization deploying it have compliance obligations.
The three HIPAA rules relevant to AI agent platforms are:
Privacy Rule
Governs the use and disclosure of PHI. For AI agents, this means the agent must only access PHI necessary for its task (minimum necessary standard), and must not store or transmit PHI beyond what’s required. Agent memory and conversation logs containing PHI must be treated as PHI themselves.
Security Rule
Requires administrative, physical, and technical safeguards for electronic PHI (ePHI). This includes encryption, access controls, audit controls, integrity controls, and transmission security. Every component in your agent pipeline — inference, tool execution, memory, logging — must implement these safeguards.
Breach Notification Rule
If PHI is compromised, you must notify affected individuals within 60 days, HHS if the breach affects 500+ individuals, and prominent media outlets for large breaches. Your AI agent platform needs automated breach detection and an incident response plan that accounts for agent-specific failure modes.
A critical point: model providers (Anthropic, OpenAI, Google) handle PHI differently. Some offer BAAs for their API products; some explicitly don’t. Your compliance posture must account for where model inference happens and whether the model provider is also a Business Associate in your chain. For more on securing the API layer, see our AI agent firewall setup guide.
4. Encryption: At Rest and In Transit
Encryption is the foundation of both SOC 2 and HIPAA compliance. For AI agents, encryption must cover four data categories: conversation history, agent memory and state, tool call inputs/outputs, and audit logs. Each must be encrypted both at rest (AES-256) and in transit (TLS 1.3).
Here’s how to configure encryption for an OpenClaw deployment:
# openclaw_config.py — SOC 2 & HIPAA encryption settings
import os
from cryptography.fernet import Fernet
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
class ComplianceEncryption:
"""AES-256-GCM encryption for PHI and sensitive agent data."""
def __init__(self):
# Key from HSM or KMS — never hardcode
self.key = os.environ["OPENCLAW_ENCRYPTION_KEY"]
self.aesgcm = AESGCM(bytes.fromhex(self.key))
def encrypt_phi(self, plaintext: bytes, context: str) -> bytes:
"""Encrypt PHI with authenticated context.
The 'context' parameter (e.g., 'agent_memory',
'tool_output') is bound to the ciphertext via AAD,
preventing cross-context decryption attacks.
"""
nonce = os.urandom(12)
ciphertext = self.aesgcm.encrypt(
nonce,
plaintext,
context.encode("utf-8"), # AAD
)
return nonce + ciphertext
def decrypt_phi(self, data: bytes, context: str) -> bytes:
"""Decrypt PHI, verifying authenticated context."""
nonce, ciphertext = data[:12], data[12:]
return self.aesgcm.decrypt(
nonce,
ciphertext,
context.encode("utf-8"),
)
# Usage in agent pipeline
enc = ComplianceEncryption()
# Encrypt conversation memory before persistence
encrypted_memory = enc.encrypt_phi(
memory_bytes, context="agent_memory"
)
# Encrypt tool call output containing PHI
encrypted_output = enc.encrypt_phi(
tool_result, context="tool_output"
)For Hermes Agent (YAML-based configuration), encryption is set at the deployment level:
# hermes-config.yaml — SOC 2 & HIPAA encryption
security:
encryption:
at_rest:
algorithm: AES-256-GCM
key_source: aws-kms # or gcp-kms, azure-keyvault
key_id: alias/hermes-phi-key
rotate_days: 90
in_transit:
min_tls_version: "1.3"
cipher_suites:
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
mtls_enabled: true
client_cert_path: /etc/hermes/certs/client.pem
# Encrypt these data categories
encrypt_categories:
- conversation_history
- agent_memory
- tool_call_inputs
- tool_call_outputs
- audit_logs
# PHI-specific settings
phi:
enabled: true
auto_detect: true # Flag fields matching PHI patterns
redact_in_logs: true # Redact PHI from non-audit logs
retention_days: 2190 # 6 years per HIPAA5. Access Control and RBAC
Both SOC 2 and HIPAA require role-based access control (RBAC) with the principle of least privilege. For AI agents, access control operates at two levels: human access (who can deploy, configure, and view agent activity) and agent access (what tools, APIs, and data the agent itself can reach).
Most compliance failures in AI agent platforms happen at the agent access level. A common mistake is giving the agent broad tool permissions — “it needs to access everything to be useful” — which directly violates least-privilege and makes your SOC 2 auditor very unhappy.
# rbac_policy.py — Role-based access for OpenClaw agents
from dataclasses import dataclass, field
from enum import Enum
from typing import Set
class Permission(Enum):
READ_PHI = "read_phi"
WRITE_PHI = "write_phi"
TOOL_CALL = "tool_call"
EXTERNAL_API = "external_api"
FILE_ACCESS = "file_access"
ADMIN = "admin"
@dataclass
class AgentRole:
name: str
permissions: Set[Permission]
allowed_tools: Set[str] = field(default_factory=set)
allowed_apis: Set[str] = field(default_factory=set)
max_tokens_per_session: int = 10_000
# Least-privilege role definitions
ROLES = {
"phi_reader": AgentRole(
name="phi_reader",
permissions={Permission.READ_PHI, Permission.TOOL_CALL},
allowed_tools={"ehr_lookup", "drug_interaction_check"},
allowed_apis={"ehr-api.internal"},
max_tokens_per_session=50_000,
),
"report_generator": AgentRole(
name="report_generator",
permissions={Permission.READ_PHI, Permission.FILE_ACCESS},
allowed_tools={"generate_pdf", "send_secure_email"},
allowed_apis={"smtp.internal"},
max_tokens_per_session=100_000,
),
"general_assistant": AgentRole(
name="general_assistant",
permissions={Permission.TOOL_CALL},
allowed_tools={"web_search", "calculator", "calendar"},
allowed_apis=set(), # No external API access
max_tokens_per_session=25_000,
),
}
def enforce_rbac(agent_role: str, tool_name: str) -> bool:
"""Check if agent role permits this tool call."""
role = ROLES.get(agent_role)
if not role:
return False
if Permission.TOOL_CALL not in role.permissions:
return False
return tool_name in role.allowed_tools# hermes-rbac.yaml — Role-based access control
roles:
phi_reader:
description: "Read-only access to PHI via EHR tools"
permissions:
- read_phi
- tool_call
allowed_tools:
- ehr_lookup
- drug_interaction_check
allowed_endpoints:
- "ehr-api.internal:443"
session_limits:
max_tokens: 50000
max_tool_calls: 100
timeout_minutes: 30
report_generator:
description: "Generate and deliver clinical reports"
permissions:
- read_phi
- file_access
allowed_tools:
- generate_pdf
- send_secure_email
data_access:
phi_categories:
- demographics
- diagnoses
- medications
excluded:
- ssn
- financial
general_assistant:
description: "No PHI access, general tools only"
permissions:
- tool_call
allowed_tools:
- web_search
- calculator
- calendar
phi_access: false # Explicit deny6. Audit Logging for Compliance
Audit logging is where SOC 2 and HIPAA requirements converge most directly. Both require comprehensive, tamper-evident logs of all access events. For AI agents, “access event” means far more than HTTP requests — every tool call, model invocation, memory read/write, and data access must be logged.
SOC 2 requires a minimum 1-year retention period for audit logs. HIPAA requires 6 years. If you’re targeting both, design for the longer retention from the start. Logs must be immutable — append-only storage with cryptographic integrity verification.
For deep observability patterns, see our dedicated AI agent observability guide.
# audit_logger.py — HIPAA-compliant audit logging
import hashlib
import json
import time
from datetime import datetime, timezone
from typing import Any, Optional
class ComplianceAuditLogger:
"""Immutable, append-only audit logger for SOC 2 & HIPAA."""
def __init__(self, storage_backend: str = "s3"):
self.storage = storage_backend
self.prev_hash = "GENESIS"
def log_event(
self,
event_type: str,
agent_id: str,
user_id: str,
resource: str,
action: str,
phi_accessed: bool = False,
details: Optional[dict[str, Any]] = None,
) -> dict:
"""Log a compliance audit event with chain hash."""
event = {
"timestamp": datetime.now(timezone.utc).isoformat(),
"event_type": event_type,
"agent_id": agent_id,
"user_id": user_id,
"resource": resource,
"action": action,
"phi_accessed": phi_accessed,
"details": details or {},
"prev_hash": self.prev_hash,
}
# Chain hash for tamper detection
event_bytes = json.dumps(
event, sort_keys=True
).encode()
event["hash"] = hashlib.sha256(
event_bytes
).hexdigest()
self.prev_hash = event["hash"]
# Write to immutable storage
self._persist(event)
return event
def _persist(self, event: dict) -> None:
"""Write to S3 with Object Lock (WORM)."""
# Implementation: boto3 put_object with
# ObjectLockMode='COMPLIANCE',
# ObjectLockRetainUntilDate=6_years_from_now
...
# Usage examples
logger = ComplianceAuditLogger()
# Log tool call
logger.log_event(
event_type="tool_call",
agent_id="agent-healthcare-01",
user_id="dr-smith",
resource="ehr_lookup",
action="read",
phi_accessed=True,
details={
"patient_id_hash": "sha256:abc...",
"fields_accessed": ["diagnosis", "meds"],
},
)
# Log model invocation
logger.log_event(
event_type="model_invocation",
agent_id="agent-healthcare-01",
user_id="dr-smith",
resource="claude-sonnet-4",
action="inference",
phi_accessed=True,
details={
"input_tokens": 2400,
"output_tokens": 800,
"phi_in_prompt": True,
},
)# hermes-audit.yaml — Compliance audit logging
audit:
enabled: true
level: comprehensive # log everything
# What to log
events:
- tool_calls # every tool invocation
- model_invocations # every LLM call
- memory_access # reads/writes to agent memory
- permission_changes # RBAC modifications
- data_access # any PHI or sensitive data
- auth_events # login, logout, token refresh
- config_changes # agent config modifications
# Tamper protection
integrity:
chain_hashing: true # SHA-256 hash chain
signature: hmac-sha256
signing_key_source: aws-kms
# Storage
storage:
backend: s3
bucket: hermes-audit-logs-prod
object_lock: true # WORM compliance
retention_mode: COMPLIANCE
retention_years: 6 # HIPAA minimum
# PHI handling in logs
phi_redaction:
enabled: true
strategy: hash # hash PHI identifiers
preserve_fields:
- patient_id_hash
- access_timestamp
- accessing_agent
- action_type7. Data Residency and Region Controls
Data residency is a critical compliance control that’s uniquely challenging for AI agent platforms. Unlike a traditional web app where data stays in your database, an AI agent’s data flows through multiple services: the model provider (for inference), tool endpoints (for actions), memory stores (for persistence), and logging backends (for audit trails).
SOC 2 auditors will verify that data stays within the regions specified in your security policies. HIPAA doesn’t explicitly require US-only storage, but virtually all covered entities mandate it contractually. Your platform must guarantee that all data — including intermediate inference outputs and agent scratchpad content — remains in compliant regions.
# data_residency.py — Region enforcement for OpenClaw
from dataclasses import dataclass
@dataclass
class ResidencyPolicy:
allowed_regions: list[str]
model_endpoints: dict[str, str]
storage_regions: dict[str, str]
enforce_strict: bool = True
# US-only policy for HIPAA workloads
HIPAA_US_POLICY = ResidencyPolicy(
allowed_regions=["us-east-1", "us-west-2"],
model_endpoints={
"anthropic": "https://api.us.anthropic.com",
"openai": "https://api.openai.com", # US-based
},
storage_regions={
"agent_memory": "us-east-1",
"audit_logs": "us-east-1",
"conversation_history": "us-east-1",
"tool_outputs": "us-west-2", # DR region
},
enforce_strict=True,
)
def validate_residency(
data_type: str,
target_region: str,
policy: ResidencyPolicy,
) -> bool:
"""Block any operation targeting a non-compliant region."""
if not policy.enforce_strict:
return True
if target_region not in policy.allowed_regions:
raise ResidencyViolation(
f"{data_type} cannot be stored in "
f"{target_region}. Allowed: "
f"{policy.allowed_regions}"
)
return True# hermes-residency.yaml — Data residency enforcement
data_residency:
mode: strict # block non-compliant regions
default_region: us-east-1
# Per-category region rules
categories:
agent_memory:
primary: us-east-1
replica: us-west-2
audit_logs:
primary: us-east-1
replica: us-west-2
cross_region_replication: true
conversation_history:
primary: us-east-1
tool_outputs:
primary: us-east-1
# Model inference routing
inference:
prefer_region: us-east-1
allowed_providers:
- provider: anthropic
endpoint: "https://api.us.anthropic.com"
region: us-east-1
- provider: openai
endpoint: "https://api.openai.com"
region: us-east-2
# Enforcement
violations:
action: block_and_alert
alert_channel: "#compliance-alerts"
log_level: critical8. Business Associate Agreements (BAA)
A Business Associate Agreement is the legal backbone of HIPAA compliance when third parties handle PHI. For an AI agent platform, the BAA chain can get complex. You need BAAs with every party that touches PHI:
A common gap: teams sign a BAA with their cloud provider but forget that the AI model provider is also processing PHI. If your agent sends patient data to Claude or GPT-4 for inference, you need a BAA with that model provider too.
Important
Not all model providers offer BAAs. As of April 2026, Anthropic offers a BAA for Claude API on the Scale/Enterprise tier, and OpenAI offers a BAA for their API. Consumer-tier products (ChatGPT Plus, Claude Pro) are generally not covered by BAAs. Always verify the current status directly with the provider before processing PHI.
9. Implementation: OpenClaw & Hermes Code
Putting it all together: here’s a compliance middleware that wraps your agent pipeline with all required controls. This intercepts every tool call and model invocation, enforcing encryption, RBAC, audit logging, and data residency checks.
# compliance_middleware.py — SOC 2 + HIPAA middleware
from functools import wraps
from typing import Callable, Any
class ComplianceMiddleware:
"""Wraps OpenClaw agent pipeline with compliance
controls for SOC 2 Type II and HIPAA."""
def __init__(
self,
encryption: ComplianceEncryption,
audit: ComplianceAuditLogger,
residency: ResidencyPolicy,
roles: dict,
):
self.enc = encryption
self.audit = audit
self.residency = residency
self.roles = roles
def compliant_tool_call(
self, agent_role: str
) -> Callable:
"""Decorator for compliant tool execution."""
def decorator(func: Callable) -> Callable:
@wraps(func)
def wrapper(
agent_id: str,
user_id: str,
*args: Any,
**kwargs: Any,
) -> Any:
tool = func.__name__
# 1. RBAC check
if not enforce_rbac(agent_role, tool):
self.audit.log_event(
"access_denied",
agent_id, user_id,
tool, "blocked",
)
raise PermissionError(
f"Role {agent_role} cannot "
f"use tool {tool}"
)
# 2. Data residency check
validate_residency(
"tool_output",
self.residency.storage_regions
.get("tool_outputs", ""),
self.residency,
)
# 3. Execute tool
result = func(
agent_id, user_id,
*args, **kwargs,
)
# 4. Encrypt output if PHI
role = self.roles[agent_role]
has_phi = "read_phi" in {
p.value for p in role.permissions
}
if has_phi:
result = self.enc.encrypt_phi(
result.encode(),
context="tool_output",
)
# 5. Audit log
self.audit.log_event(
"tool_call",
agent_id, user_id,
tool, "executed",
phi_accessed=has_phi,
)
return result
return wrapper
return decorator# hermes-compliance.yaml — Full SOC 2 + HIPAA config
compliance:
frameworks:
- soc2_type_ii
- hipaa
# Middleware pipeline — applied to every agent action
middleware:
- name: rbac_check
order: 1
fail_action: block
- name: residency_check
order: 2
fail_action: block
- name: encryption
order: 3
scope: [input, output, memory]
- name: audit_log
order: 4
scope: [tool_calls, model_calls, data_access]
- name: phi_detection
order: 5
action: flag_and_encrypt
# Automated compliance checks
continuous_monitoring:
enabled: true
checks:
- name: encryption_at_rest
frequency: daily
alert_on_failure: true
- name: access_review
frequency: weekly
notify: compliance-team@company.com
- name: log_integrity
frequency: hourly
verify: chain_hash
- name: key_rotation
frequency: daily
max_key_age_days: 90
# Incident response
breach_detection:
enabled: true
triggers:
- unauthorized_phi_access
- encryption_failure
- residency_violation
- audit_log_gap
notification:
channels: [email, slack, pagerduty]
escalation_minutes: 15
hipaa_notification_days: 6010. SOC 2 + HIPAA Compliance Checklist
Use this checklist to audit your AI agent platform against both SOC 2 Type II and HIPAA requirements. Items marked with SOC 2 are required for SOC 2; items marked with HIPAA are HIPAA-specific; items with both apply to both frameworks.
11. Managed vs Self-Hosted Compliance
The build-vs-buy decision for compliance is even more pronounced than for the agent platform itself. Self-hosting gives you maximum control but requires you to implement, maintain, and audit every control yourself. Managed platforms shift the infrastructure-level compliance burden to the provider.
| Dimension | Self-Hosted | Managed (Rapid Claw) |
|---|---|---|
| Time to SOC 2 readiness | 6–12 months | Weeks (inherit platform controls) |
| Estimated cost | $50K–$150K + ongoing ops | Included in Enterprise plan |
| Encryption | You implement and manage keys | AES-256 + TLS 1.3 built in |
| Audit logging | You build and maintain pipeline | Immutable logs, 6-yr retention |
| BAA availability | Negotiate per provider | Included on Enterprise |
| Network isolation | Manual VPC/firewall config | Per-tenant isolation by default |
| Ongoing audit burden | Full scope — you own everything | Reduced scope — shared responsibility |
The shared responsibility model is key: the managed platform handles infrastructure-level controls (encryption, network isolation, log storage, key management), while you remain responsible for application-level controls (what data your agent accesses, how you configure permissions, your organizational policies). This dramatically reduces your SOC 2 audit scope without giving up control over your agent behavior.
Skip the 6-month compliance buildout
Rapid Claw Enterprise includes SOC 2-ready infrastructure, HIPAA-compliant controls, and a signed BAA. Deploy OpenClaw or Hermes agents in a compliant environment from day one.