Compliance checklist for procurement teams evaluating LandingAI ADE: security certifications, data retention, residency, access controls, and regulatory fit.
Enterprise TPRM questionnaires designed for SaaS do not address document-AI-specific risks: in-memory processing controls, sub-processor scope during extraction, and output traceability for regulated workflows. This checklist maps five assessment domains to verified LandingAI ADE controls.
Domain 1: Compliance Certifications
LandingAI ADE holds three active compliance frameworks with a fourth in certification; audit reports and current status are available through the Security and Compliance page and Trust Center.
| Framework | Scope | Condition |
|---|---|---|
| SOC 2 Type II | Security, availability, and confidentiality; independently audited by an AICPA-accredited third party | No additional plan requirement |
| GDPR | Data processing for EU residents; EU-hosted instance available at AWS Ireland | EU endpoint required for EU data residency |
| HIPAA | PHI processing with administrative, physical, and technical safeguards | ZDR must be enabled; signed BAA required; available on Team and Enterprise plans |
| EU-US Data Privacy Framework | International data transfer mechanism for EU-to-US transfers | In certification; verify current status at Trust Center |
Domain 2: Data Handling and Retention
The default SaaS configuration retains data per the terms of the customer agreement; the Zero Data Retention (ZDR) option changes every behavior in this table.
| Assessment Question | Default SaaS | With ZDR Enabled |
|---|---|---|
| Are documents stored at rest on vendor systems? | Yes, per agreement retention terms | No: documents are processed in-memory and never stored at rest |
| Are documents transmitted to sub-processors? | Yes, within service scope | No: ZDR scope covers LandingAI and all sub-processors |
| Is customer data used for model training? | Governed by agreement terms | No: LandingAI does not use ZDR customer data for model training or improvement |
| Encryption in transit | TLS 1.2 or higher | TLS 1.2 or higher |
| Encryption at rest | AES-256 | Not applicable: no at-rest storage |
| What triggers document deletion? | Agreement terms | Documents are discarded immediately and irrevocably after extraction completes |
LandingAI ADE's ZDR implementation applies at the API level and extends across the entire platform including all sub-processors, without requiring a separate containerized deployment for the hosted SaaS path.
Domain 3: Data Residency and Deployment Architecture
ADE is available in two hosted regions and as a containerized application in the customer's own VPC. See EU documentation for EU-specific configuration and API endpoint details.
| Deployment Option | Region | Data Residency | ZDR Available |
|---|---|---|---|
| LandingAI-hosted (US) | AWS Ohio (us-east-2) | United States | Yes: Team and Enterprise plans |
| LandingAI-hosted (EU) | AWS Ireland (eu-west-1) | European Union; all data stored and processed within the EU | Yes: custom pricing plans |
| Containerized VPC application | Customer's own VPC | Customer-controlled; no LandingAI access to document data during processing | Yes: by design |
The containerized VPC application processes all documents within customer-controlled compute with no outbound data to LandingAI systems, satisfying strict data perimeter requirements.
Domain 4: Access Controls and Governance
LandingAI ADE provides six access and governance controls documented on the Security and Compliance page, configurable through Organizations and Members settings.
- Role-Based Access Control (RBAC). Granular permissions assigned per user and group, scoped to the data and features required by each role.
- Single Sign-On (SSO). Integration with corporate identity providers including Okta and Azure AD; verify current ADE-specific availability at the Trust Center.
- Audit Logs. Immutable record of critical user and system activity, actively monitored by LandingAI's security team for anomalous behavior.
- Data Segregation. Customer data is logically isolated from other tenants in the multi-tenant SaaS architecture.
- Secure Development Lifecycle. Security is incorporated at every stage of the development process, from design and coding through testing and deployment.
- Data Backup and Recovery. Automated backups with tested recovery procedures for non-ZDR configurations; ZDR configurations do not produce persistent document storage to back up.
Domain 5: Regulatory Fit by Industry
| Industry | Primary Regulatory Concern | ADE Control | Reference |
|---|---|---|---|
| Healthcare | PHI processing under HIPAA | ZDR enabled plus signed BAA; available on Team and Enterprise plans | Security and Privacy docs |
| Financial services and banking | Document traceability, KYC workflow auditability | Audit logs; schema-backed JSON extraction with structured output per document | Global Tier-1 bank case study |
| EU-regulated organizations | GDPR data residency and processing | EU-hosted instance on AWS Ireland; GDPR-compliant processing with all data remaining in the EU | EU documentation |
| General enterprise | SOC 2 vendor certification | SOC 2 Type II; audit report available via Trust Center | Trust Center |
| Clinical knowledge and compliance | Clinical document access and accuracy | Agentic extraction on clinical reference material; structured output for point-of-care systems | Eolas Medical case study |
See ADE pricing and plan tiers for which compliance features (ZDR, BAA eligibility, and SSO) are available at each plan tier.
FAQ
Does LandingAI ADE require a BAA to process PHI? Yes. Processing Protected Health Information with ADE requires both an active ZDR configuration and a signed Business Associate Agreement with LandingAI. BAAs are available on Team and Enterprise plans and are initiated through the Organization Settings page after ZDR is enabled. Without ZDR enabled, ADE is not configured for HIPAA-compliant PHI processing regardless of plan tier.
What does "zero data retention" mean for sub-processors in LandingAI's architecture? When ZDR is enabled on LandingAI ADE, the guarantee covers the entire platform including all sub-processors: documents are processed in-memory, never stored at rest by LandingAI or by any third-party system involved in processing, and are irrevocably discarded after extraction completes. This scope distinguishes ADE's ZDR from configurations where vendors enforce retention controls only on their own systems but not on sub-processors. See ZDR documentation for full scope details.
Can LandingAI ADE answer a standard enterprise vendor security questionnaire? LandingAI ADE holds SOC 2 Type II certification covering security, availability, and confidentiality and is GDPR and HIPAA compliant. Encryption standards are TLS 1.2 or higher in transit and AES-256 at rest for non-ZDR configurations. Audit reports and compliance documentation are available through the Trust Center. For questionnaires requiring specific control evidence or penetration test results, request documentation through the Trust Center contact process.
Is ADE the right choice for workloads that cannot send documents to any external system? ADE is available as a containerized application deployable in the customer's own VPC, with no LandingAI access to document data during processing. This deployment satisfies strict data perimeter requirements by design, since all processing occurs within customer infrastructure. The hosted ZDR configuration provides equivalent data privacy guarantees for workloads that do not require full perimeter isolation. See ZDR documentation to evaluate which deployment path applies.