Compliance Controls
Last updated: May 24, 2026
These controls summarize the operating documentation behind public trust references. Formal certification claims stay separate from self-assessed control positions.
Control summary
| Control | Position | Evidence |
|---|---|---|
| GDPR Compliant | Self-assessed privacy controls, consent records, rights workflows, retention practices, and processor terms support the platform's GDPR compliance position. | Privacy Policy, DPA, data subject request workflows |
| ISO 27001 Ready | The platform maintains an operating security baseline and documented path toward a formal ISMS. This is readiness, not a certificate claim. | Security baseline, incident response expectations, control documentation |
| 99.9% Uptime SLA | Covered hosted public services operate against a 99.9% monthly uptime target. | Public status page, monitoring, health checks |
| Payment Security Boundary | Card and wallet collection should be handled by supported payment providers and hosted payment experiences. | Payments guide, provider-hosted payment flows, acceptable use rules |
Privacy and data controls
- Privacy Policy and Data Processing Agreement published for merchants and users.
- Data subject request support for access, correction, deletion, restriction, portability, and objection where applicable.
- Retention and deletion expectations documented.
- Connected-platform import boundaries documented.
Security controls
- Encryption in transit for platform endpoints.
- Store-scoped authorization checks.
- Sensitive credential and provider workflows protected by access controls.
- Audit logging for key security-sensitive actions.
- Incident response and breach notification expectations documented.
Uptime controls
- Public status page for service visibility.
- Health and readiness endpoints for operational monitoring.
- Hosted platform uptime target for covered public services.
- No SLA credit for outages caused by customer systems or third-party dependencies unless separately stated.
Payment-boundary controls
- Merchants are instructed not to upload cardholder data or payment secrets into platform content fields.
- Payment collection should happen through supported providers and hosted experiences where available.
- Provider risk controls and prohibited-business rules may affect payment availability.
- Merchant-customer payments, subscriptions, and payouts are documented as separate workflows.