Compliance

1. Data Protection Regulations

1.1 GDPR Compliance (European Union)

We comply with the General Data Protection Regulation (GDPR) for all EU users:

• Lawful Basis: Contract performance and legitimate interests
• Data Subject Rights: Access, rectification, erasure, portability, objection
• Data Processing Agreements: Available for enterprise customers
• Data Protection Officer: Designated DPO for EU inquiries
• Breach Notification: 72-hour notification to authorities and users
• Data Transfer: Standard Contractual Clauses (SCCs) for international transfers
• Privacy by Design: Built-in privacy protections from the ground up

1.2 CCPA Compliance (California)

We comply with the California Consumer Privacy Act (CCPA):

• Right to Know: Disclosure of data collection and sharing practices
• Right to Delete: Deletion of personal information (with exceptions)
• Right to Opt-Out: Opt-out of sale of personal information (we do not sell data)
• Non-Discrimination: No discrimination for exercising privacy rights
• Verification: Identity verification for data requests

2. Industry Standards & Certifications

2.1 SOC 2 Type II

Service Organization Control 2 Type II certification demonstrates:

• Security: Protection against unauthorized access
• Availability: System availability and performance
• Confidentiality: Protection of confidential information
• Processing Integrity: Accurate and complete processing
• Privacy: Collection, use, and disclosure of personal information
• Annual Audits: Independent third-party audits conducted annually
• Audit Reports: Available to enterprise customers under NDA

2.2 ISO 27001 Alignment

Our security practices align with ISO/IEC 27001 standards:

• Information Security Management System (ISMS): Comprehensive security framework
• Risk Management: Systematic identification and mitigation of risks
• Security Controls: Implementation of ISO 27001 control objectives
• Continuous Improvement: Regular review and enhancement of security practices

3. Industry-Specific Compliance

3.1 Healthcare (HIPAA)

For healthcare customers handling Protected Health Information (PHI):

• Business Associate Agreement (BAA): Available for HIPAA-covered entities
• Administrative Safeguards: Security management, workforce training
• Physical Safeguards: Facility access controls, workstation security
• Technical Safeguards: Access control, audit controls, integrity controls
• Encryption: Encryption of PHI in transit and at rest
• Audit Logging: Comprehensive logging of PHI access

3.2 Financial Services

Support for financial services compliance:

• GLBA: Gramm-Leach-Bliley Act compliance support
• PCI DSS: Payment Card Industry Data Security Standard (for payment processing)
• SOX: Sarbanes-Oxley Act compliance support
• Data Retention: Configurable retention policies for regulatory requirements

3.3 Government & Public Sector

Support for government compliance requirements:

• FedRAMP: Federal Risk and Authorization Management Program (in progress)
• FISMA: Federal Information Security Management Act alignment
• State & Local: Support for state and local government requirements

4. Data Processing & Transfer

4.1 Data Processing Agreements (DPAs)

We provide Data Processing Agreements for enterprise customers:

• Standard DPA: Available for download from customer portal
• Custom DPAs: Available for enterprise customers
• GDPR-Compliant: Includes Standard Contractual Clauses (SCCs)
• Subprocessor List: Transparent list of subprocessors

4.2 International Data Transfers

Secure international data transfers:

• Standard Contractual Clauses (SCCs): EU-approved transfer mechanisms
• Adequacy Decisions: Recognition of adequacy decisions where applicable
• Data Residency: Options for data storage in specific regions (on request)
• Transfer Impact Assessments: Available for enterprise customers

5. Audit & Reporting

5.1 Audit Capabilities

Comprehensive audit trail for compliance:

• Access Logs: Who accessed what data and when
• Modification Logs: All data changes tracked with timestamps
• Authentication Logs: Login attempts, session management
• Administrative Actions: All admin actions logged
• Export Capabilities: Export audit logs in standard formats
• Retention: 7-year retention for compliance purposes

5.2 Compliance Reporting

Reporting capabilities for compliance audits:

• Custom Reports: Generate compliance reports on demand
• Scheduled Reports: Automated compliance reports
• Data Export: Export data in compliance-friendly formats
• Certification Letters: Available for enterprise customers

6. Data Subject Rights

6.1 Right to Access

Users can access their personal data:

• Dashboard Access: View all personal data through the Service
• Data Export: Export personal data in machine-readable format
• Request Processing: Requests processed within 30 days (GDPR requirement)

6.2 Right to Rectification

Users can correct inaccurate data:

• Self-Service: Update data directly through the Service
• Bulk Updates: Import/export functionality for bulk corrections

6.3 Right to Erasure ("Right to be Forgotten")

Users can request deletion of their data:

• Account Deletion: Delete account and associated data
• Data Retention: Data deleted within 30 days (subject to legal requirements)
• Backup Deletion: Data removed from backups within retention period

6.4 Right to Data Portability

Users can receive their data in a portable format:

• Export Formats: CSV, Excel, JSON formats available
• Complete Data: All user data included in export
• Machine-Readable: Standard formats for easy import to other systems

7. Vendor & Subprocessor Management

7.1 Subprocessor List

We use the following subprocessors to provide our Service:

• AWS (Amazon Web Services): Cloud infrastructure, hosting, database services
• AWS SES: Email delivery services
• Let's Encrypt: SSL/TLS certificate services

All subprocessors are contractually obligated to protect your data and comply with applicable regulations.

7.2 Vendor Security

We ensure all vendors meet security and compliance requirements:

• Security Assessments: Regular security reviews of vendors
• Contractual Requirements: Security and compliance requirements in contracts
• Monitoring: Ongoing monitoring of vendor security practices

8. Compliance Certifications & Documentation

8.1 Available Documentation

We provide the following compliance documentation:

• SOC 2 Type II Reports: Available to enterprise customers under NDA
• Data Processing Agreements: Standard and custom DPAs
• Security Questionnaires: Completed security questionnaires available
• Certification Letters: Compliance certification letters
• Privacy Policy: Comprehensive privacy policy (see Privacy page)
• Terms of Service: Detailed terms of service (see Terms page)

9. Compliance Contact

For compliance-related inquiries or to request compliance documentation:

10. Continuous Compliance

Compliance is an ongoing commitment. We:

• Regularly review and update our compliance practices
• Monitor changes in regulations and adapt accordingly
• Conduct regular compliance audits and assessments
• Provide training to our team on compliance requirements
• Maintain documentation of compliance activities