Stand on the rails that already run the world.
Here is the honest strategy for world-class security and certification: don't rebuild what the world already certified. We build on and sell with the compliant infrastructure that runs the world economy to inherit its protections and shrink our own scope, and we earn the certifications that can't be inherited, ourselves. The whole discipline is being transparent about which is which.
Two doors to compliance. We walk through both, honestly.
Inherit what we can (indirect)
Do not rebuild what the world already certified. By building on and selling with the compliant infrastructure that runs the world economy, we inherit its protections and shrink our own audit scope. This is the legitimate, standard shared-responsibility model, not a shortcut around the rules.
Earn what we must (direct)
Some certifications are about our own organization's controls and cannot be inherited from anyone. SOC 2, ISO 27001 and 42001, HIPAA, FedRAMP, and CMMC are earned by us, through real audits, on the public timeline we already publish. No partner can hand these over.
Be transparent about which is which
The only way this strategy stays honest is to label every capability as inherited or earned, live or roadmap. We never claim a partner's certificate as ours, and we never call ourselves certified before we are.
The umbrella: rails we build on.
This is the indirect path. By operating on and selling through infrastructure that is already compliant and already runs the world economy, we inherit its layer and reduce what is ours to audit. The honest part is the last column: what building on each rail still leaves as our own job. Named companies describe the rails and standards we build on or interoperate with, not signed partnerships or endorsements, except where marked live.
| Rail | What it is | What we inherit | What's still ours | Status |
|---|---|---|---|---|
| Card payments | Stripe, Visa, Mastercard (tokenized; we never touch raw card numbers) | PCI-DSS scope reduction: card data lives with the processor and networks, so our own attestation is the lightweight SAQ-A level, not a full card-data environment. | Our own SAQ-A attestation, a secure integration, and never storing a raw card number. | Live |
| Bank money movement | ACH, Fedwire, Zelle, UPI, and stablecoin settlement (for example Circle / USDC) | Money moves over licensed, regulated rails through a licensed partner, so we do not have to become a bank to move value safely and at settlement-grade reliability. | Our program's KYC/AML, our money-movement licensing posture, and consent + receipts for every transfer. All roadmap. | Roadmap |
| Cloud infrastructure | Hyperscale clouds (for example Google Cloud, Microsoft Azure, AWS) | The infrastructure layer's own FedRAMP, SOC 2, and ISO authorizations under the shared-responsibility model, covering physical, network, and platform security. | Everything in our half of the shared model: our application controls, our configuration, and our own authorization. Building on FedRAMP cloud does not make our app FedRAMP. | Live |
| Identity & sign-in | Apple and Google sign-in, and passwordless email links | World-class authentication and account-protection from identity providers billions already trust, so we are not reinventing login security. | Session handling, consent, and authorization on our side, and a receipt for every access. | Live |
| Work, CRM & communication | Salesforce, Microsoft, Google, Meta / WhatsApp | The platform compliance of the systems our customers already run, for the data that lives inside those systems. | Consent-scoped, revocable sharing across them, with the human at the center and a receipt they can read. Interoperability, not endorsement. | Roadmap |
| Silicon & compute | Best-in-class silicon (for example Nvidia) in 🤫 Puppy One and the edge grid | Hardware-level security features and performance from the industry's leading compute, so the edge fleet stands on proven silicon. | Our secure deployment, key management, and the owned-hardware, consent-first architecture. Hardware-agnostic by design. | Roadmap |
| Agent & payment protocols | Open standards: MCP, A2A, ADK, AP2, UCP | Interoperable, auditable agent-to-agent and agent-to-commerce rails built on shared open standards instead of a private silo. | Building to these standards as they mature, and the consent + receipt layer on top. These are standards we design toward, not certifications. | Roadmap |
The certifications no partner can hand us.
These are about our own organization's controls. They cannot be inherited from anyone, so we earn them directly, through real audits, on the public timeline we already publish.
SOC 2 Type II
An attestation about our own controls and how we actually operate them over time. No partner can grant it. Observation underway; targeted H2 2026.
ISO/IEC 27001 & 42001
Our information-security and AI-management systems, audited. Ours to build and pass. In progress.
HIPAA readiness & BAAs
Safeguards and a business-associate program for regulated health workloads. Our responsibility as the party handling the data. Roadmap.
FedRAMP & DoD Impact Levels
For federal and national-security workloads. Requires our own agency sponsor and 3PAO assessment; a hyperscaler's FedRAMP does not transfer to our app. In pursuit.
CMMC 2.0 & NIST 800-171/53
For the defense industrial base. The control families are ours to implement and document. In pursuit.
GDPR & EU-US Data Privacy Framework
Consent-first by construction (PCHP), with data-residency and DPF alignment as an ongoing, maintained commitment.
What partnership does, and does not, confer.
This is the part that keeps the strategy honest. Read it as the fine print that is actually in the headline.
- Building on a compliant partner reduces our audit scope and inherits their layer. It does not make us certified. We never present a partner's certificate as our own.
- Shared responsibility is real and two-sided: the rails secure their layer, and we are fully responsible for ours. A FedRAMP cloud does not make our application FedRAMP; a SOC 2 vendor does not make us SOC 2.
- Nothing is unbreakable. This strategy is layered risk reduction, standing on proven infrastructure so fewer things are ours to get wrong, not a guarantee that nothing can.
- Status is labeled everywhere. Stripe is live for payments and we build on hyperscale cloud and trusted sign-in today; the broader money-movement, work, and hardware rails are the plan and the roadmap, not signed partnerships.
- The certifications that are ours to earn, we earn, on the public timeline at /one/certifications. We update an item to achieved only when it is formally granted, and we date it.
Build, buy, and sell together, safely.
We reach world-class assurance by standing on the world's compliant rails and earning the rest ourselves, in the open. Partners on those rails, and customers who need the receipts, let's talk.
One is a product of Hushh Technologies Corporation (brand: 🤫 “hussh”), an independent company. One runs on third-party silicon, systems, and cloud; all company names are used solely to describe the platforms on which One software runs. Hushh Technologies is not affiliated with, endorsed by, sponsored by, or partnered with any company named.