Honest about where we stand.
We distinguish between what is operational, what is in progress, and what is planned. No overclaiming — just transparent status.
EU regulatory compliance.
General Data Protection Regulation
OperationalComprehensive EU data protection for all personal data processing.
- Art. 15 — Right to Access: Self-service DSAR with data export
- Art. 16 — Right to Rectification: Users can update own information
- Art. 17 — Right to Erasure: Full deletion cascade across 66 tables, file storage, and vector embeddings
- Art. 20 — Data Portability: Standard format exports via DSAR workflow
- Art. 28 — Processor Obligations: Runtime paid-tier enforcement prevents free-tier AI usage
- Art. 6(1)(f) — Lawful Basis: Legitimate Interest with three-part EDPB balancing test
- Data residency enforced in EU (Germany, Finland, Netherlands)
EU AI Act
OperationalRegulation 2024/1689 compliance for high-risk AI systems.
- Art. 9 — Risk Management: Quarterly governance reports with risk indicators
- Art. 10 — Data Governance: PII redaction and audit logging on all AI data flows
- Art. 12 — Record-Keeping: AI acceptance metrics, audit logs, governance reports
- Art. 14 — Human Oversight: Manager training gate (require_ai_certified)
- Art. 50 — Transparency: AI content labelling throughout the platform
- Annex III Category 4b classification (employment and worker management)
- Rubber-stamping detection with 4 monitored indicators
International standards.
ISO 27001
In ProgressInformation security management system certification.
- Gap assessment underway (Q3 2026)
- Information security management system documentation in progress
- Formal certification audit targeted for H1 2027
- Recognised standard for EU and international enterprise requirements
North American compliance.
SOC 2
PlannedService Organization Control 2 for North American enterprise requirements.
- Readiness assessment complete (Security + Availability + Confidentiality + Privacy criteria)
- Compliance platform evaluation (Vanta, Drata) underway
- Type I audit planned following ISO 27001 certification
- Many controls already operational from ISO 27001 preparation
HIPAA
OperationalHealth Insurance Portability and Accountability Act compliance for healthcare verticals.
- Business Associate Agreement (BAA) with cloud AI providers
- Encrypted PHI at rest and in transit
- Audit logging of all PHI access with 7-year retention
- Zero data retention for AI processing
- Access controls and authentication for healthcare data
- Applicable to DermGeist healthcare vertical
CCPA
OperationalCalifornia Consumer Privacy Act — consumer data rights for California residents.
- Right to know what data is collected
- Right to delete personal information
- Right to opt out of data sales (we never sell data)
- Right to non-discrimination
- Self-service data export and deletion tools
Certification timeline.
Our security and compliance roadmap through H1 2027.
Dependency scanning in CI
Operationalpip-audit, OSV-Scanner, lockfile integrity, and supply chain checks on every push
DPIA completion
In ProgressData Protection Impact Assessment with enterprise customers
Security training programme
PlannedInitial rollout for all staff; annual GDPR refresher
ISO 27001 gap assessment
In ProgressInformation security management system documentation
Penetration test
PlannedGray-box (authenticated + unauthenticated), full application and API scope. EU-based firm
WCAG 2.1 AA audit
PlannedThird-party accessibility audit
DR drill
PlannedFull restore test; validate RTO (<4h) and RPO (<24h) targets
ISO 27001 certification
PlannedFormal certification audit (dependent on gap assessment)
Application-level encryption
PlannedPer-tenant AES-256-GCM field-level encryption deployment
Need detailed compliance evidence?
Request our Security & Compliance Evidence Pack with full control matrices and technical architecture details.
Request Evidence Pack