Compliance
Mapped posture, available evidence
We keep a single control plane aligned to the frameworks that matter in regulated operations, with evidence ready for review.
Status reflects the most recent internal audit cycle. "In scope" means certification is underway, we never claim certification without evidence.
| Framework | Scope | Status | Region | Evidence type | Last audit |
|---|---|---|---|---|---|
| ISO 27001 | ISMS | Certified | Global | Full report | Q1 2026 |
| SOC 2 Type II | Controls | Ready | US / EU | Type II report | Q4 2025 |
| GDPR | Data protection | Compliant | EU | DPIA + RoPA | Q1 2026 |
| PCI DSS v4 | Payment data | In scope | Global | SAQ attestation | Q3 2025 |
| LGPD | Data protection | Compliant | BR | Compliance report | Q4 2025 |
| ISO 22301 | BCMS | In scope | Global | Continuity plan | Q2 2025 |
Frameworks by region
Global
- ISO 27001
- ISO 22301
- PCI DSS v4
- NIST CSF
EU
- GDPR
- DORA (in scope)
- eIDAS
- NIS2 (in scope)
LATAM
- LGPD (BR)
- Law 19.628 (CL)
- Law 1581 (CO)
- Law 25.326 (AR)
US
- SOC 2 Type II
- CCPA/CPRA
- State AG frameworks
Request evidence package
01 · Request
Send scope, jurisdictions, and relevant frameworks to our compliance team.
02 · NDA and triage
We sign a mutual NDA and confirm the applicable package within 48 hours.
03 · Delivery
We deliver a signed evidence package with audit trail and contact points.
Data residency
Operational data is held in EU-WEST (Ireland) and SA-EAST (São Paulo) regions. Customers under specific regimes can opt for dedicated residency.
Subprocessors
| Name | Purpose | Region |
|---|---|---|
| Amazon Web Services | Infrastructure and storage | EU-WEST, SA-EAST |
| Cloudflare | CDN and WAF | Global |
| Datadog | Observability | EU |
| PagerDuty | Incident management | EU / US |
| HashiCorp Vault Cloud | Secrets management | EU |
Ready to review the evidence?
Send scope and jurisdictions and we'll return in 48 hours with the applicable package.