VARL Logo
Compliance

Compliance

Wheat

Our Position

Compliance is not a checkbox for us. It is the foundation on which trust is built. When researchers submit genomic data to our platform, when clinicians use our predictions to inform treatment decisions, when governments grant us access to national health datasets, they are placing an extraordinary level of confidence in our systems, our processes, and our people. That confidence must be earned every day, through verifiable action, not through promises.

We operate in a domain where a single failure in data handling can compromise patient privacy, where a misconfigured access control can expose proprietary research, and where the misuse of our technology could have consequences measured not in dollars but in human lives. We take this responsibility with the gravity it demands.

VARL does not treat regulatory requirements as constraints to be minimized. We treat them as the minimum acceptable standard, and then we go further. Our internal policies exceed regulatory requirements in nearly every category. Where regulations have not yet caught up with the capabilities of biological AI, we impose our own standards based on what we believe is right, not just what is legally required.

Every system we deploy, every API we expose, every dataset we handle is subject to the same question: if this were made public tomorrow, would we be proud of how it was handled? If the answer is anything less than an unequivocal yes, it does not ship.

Last Updated: February 14, 2026

Regulatory Frameworks

VARL maintains compliance with the following regulatory frameworks across all jurisdictions in which we operate. Our legal and compliance teams continuously monitor regulatory developments and update internal policies accordingly.

HIPAAHealth Insurance Portability and Accountability Act

VARL implements administrative, physical, and technical safeguards as required by the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. All partners processing protected health information (PHI) through our platform are required to execute a Business Associate Agreement (BAA) prior to data transmission. Our infrastructure supports HIPAA-compliant data handling, including encryption at rest and in transit, access controls, audit logging, and workforce training.

GDPRGeneral Data Protection Regulation (EU) 2016/679

VARL processes personal data of EU/EEA residents in full compliance with the GDPR. We maintain lawful bases for all processing activities, conduct Data Protection Impact Assessments (DPIAs) for high-risk processing, honor data subject rights within statutory timelines, and implement data protection by design and by default across our platform. International data transfers are secured through Standard Contractual Clauses (SCCs) and supplementary technical measures.

CCPA/CPRACalifornia Consumer Privacy Act & California Privacy Rights Act

California residents are afforded enhanced privacy rights under the CCPA as amended by the CPRA. VARL does not sell personal information. We provide California consumers with the right to know, delete, correct, and opt out of the sharing of their personal information. We maintain a dedicated process for handling consumer rights requests within the 45-day statutory response period.

FDAU.S. Food and Drug Administration Regulations

VARL's platform is currently designated for research use only (RUO) and has not been submitted for FDA clearance or approval as a medical device. Where applicable, our quality management processes align with 21 CFR Part 11 (Electronic Records; Electronic Signatures) and we maintain documentation practices consistent with FDA guidance on software as a medical device (SaMD) in anticipation of future regulatory submissions.

GxPGood Practice Regulations (GLP, GCP, GMP)

For partnerships involving preclinical research (GLP), clinical trials (GCP), or manufacturing processes (GMP), VARL adapts its platform operations to meet the applicable Good Practice requirements. This includes validated systems, complete audit trails, controlled document management, and personnel qualification records. Specific GxP compliance measures are documented in the applicable Quality Agreement executed with each partner.

EAR/ITARExport Administration Regulations & International Traffic in Arms Regulations

VARL screens all users, partners, and transactions against relevant export control lists, including the U.S. Commerce Department's Entity List, the Treasury Department's SDN List, and applicable EU and UK sanctions lists. Our platform is not available to individuals, organizations, or governments located in or subject to comprehensive U.S. sanctions. Dual-use technology assessments are conducted for all API access grants.

Certifications & Audits

VARL subjects its infrastructure, processes, and controls to independent third-party audits on a regular basis. The following certifications and attestations are maintained:

SOC 2 Type II

Annual audit covering security, availability, processing integrity, confidentiality, and privacy trust service criteria. Our SOC 2 Type II report is issued by an independent CPA firm and covers a 12-month observation period. The report is available to customers and partners under NDA upon request.

Last audit: December 2025 · Auditor: Deloitte & Touche LLP
ISO 27001

Certification for our Information Security Management System (ISMS), covering risk assessment, access control, incident management, business continuity, and supplier relationship security. The certification scope includes all production infrastructure, API services, and internal systems handling sensitive data.

Certified since: March 2025 · Certifying body: BSI Group
ISO 27701

Extension to ISO 27001 covering privacy information management. This certification demonstrates our commitment to managing personal data in accordance with international privacy standards, including GDPR alignment. It covers our roles as both data controller and data processor.

Certified since: June 2025 · Certifying body: BSI Group
CSA STAR

Cloud Security Alliance STAR Level 2 attestation, demonstrating that our cloud infrastructure meets rigorous security and privacy controls as defined by the Cloud Controls Matrix (CCM). This certification is particularly relevant for enterprise and government partners evaluating our cloud security posture.

Attested since: September 2025

Data Security

Security is foundational to everything we build. The following measures are implemented across our entire infrastructure:

Encryption

AES-256 encryption at rest. TLS 1.3 encryption in transit. All API keys and authentication tokens are encrypted using industry-standard cryptographic algorithms and stored in hardware security modules (HSMs).

Access Control

Role-based access control (RBAC) with principle of least privilege. Mandatory multi-factor authentication for all internal systems and administrative access. Privileged access management with just-in-time provisioning.

Audit Logging

Immutable audit trails for all data access events, API calls, configuration changes, and administrative actions. Logs are retained for a minimum of 6 years and are protected against tampering through cryptographic chaining.

Network Security

Network segmentation with micro-segmented security zones. Web application firewall (WAF), DDoS protection, and intrusion detection/prevention systems (IDS/IPS). Continuous vulnerability scanning and penetration testing.

Incident Response

Documented incident response plan with defined severity levels, escalation procedures, and communication protocols. Breach notification within 72 hours (GDPR) and 60 days (HIPAA). Annual tabletop exercises and post-incident reviews.

Business Continuity

Multi-region infrastructure with automated failover. Recovery Point Objective (RPO) of 1 hour and Recovery Time Objective (RTO) of 4 hours for critical systems. Annual disaster recovery testing with documented results.

Biosecurity & Ethical Oversight

Given the dual-use potential of biological intelligence technologies, VARL maintains a dedicated Biosecurity and Ethics Board that reviews all new capabilities, partnership applications, and API access requests for potential misuse risk. The board comprises internal scientists, external advisors, and independent bioethics experts.

Key measures include:

  • Pre-deployment risk assessment for all new platform features with dual-use potential
  • Institutional review of all API access applications involving pathogen modeling, toxicology simulation, or genetic manipulation workflows
  • Real-time usage monitoring with automated anomaly detection for patterns consistent with misuse
  • Cooperation with national and international biosecurity agencies, including voluntary reporting of potential threats
  • Annual publication of a Transparency Report documenting access decisions, denied applications, and revoked credentials
  • Adherence to the Biological Weapons Convention (BWC) and relevant national implementing legislation

Vendor & Supply Chain Management

VARL evaluates the security and compliance posture of all third-party vendors and subprocessors before engagement. Our vendor management program includes:

  • Security questionnaires and due diligence assessments prior to onboarding
  • Contractual data processing agreements with all subprocessors that handle personal or sensitive data
  • Annual reassessment of vendor security posture with documented findings
  • Right to audit clauses in all critical vendor agreements
  • Immediate vendor review and potential termination in the event of a security incident

A list of our subprocessors is available upon request and is updated whenever a new subprocessor is engaged. Partners with contractual notification requirements are informed at least 30 days before any subprocessor change takes effect.

Employee Training & Awareness

All VARL employees and contractors are required to complete the following training programs:

  • Security awareness training upon hire and annually thereafter
  • HIPAA privacy and security training for all personnel with access to PHI
  • GDPR data protection training for all personnel processing EU personal data
  • Biosecurity awareness training covering dual-use research concerns and responsible technology development
  • Insider threat awareness and social engineering prevention
  • Incident reporting procedures and whistleblower protection policies

Training completion is tracked and documented. Personnel who fail to complete mandatory training within the required timeframe are subject to access restrictions until compliance is achieved.

Requesting Compliance Documentation

Partners, regulators, and prospective customers may request copies of the following documents:

  • SOC 2 Type II Report (under NDA)
  • ISO 27001 and ISO 27701 certificates
  • Data Processing Agreement (DPA) template
  • Business Associate Agreement (BAA) template
  • Subprocessor list
  • Penetration test executive summary (under NDA)
  • Annual Transparency Report

To request any of the above, please contact our compliance team:

Compliance Team

VARL Inc. — Legal & Compliance

Email

compliance@varl.com

Mailing Address

VARL Inc., 1209 Orange Street, Wilmington, DE 19801, United States

Response Time

Within 5 business days for standard requests. Expedited review available for active partners and regulatory inquiries.