Compliance & Certifications

Certification Date: August 2025

Audit Period: August 18, 2025

Auditor: Deloitte & Touche LLP

Our SOC 2 Type II report demonstrates our commitment to the five trust service criteria:

• Security: Protection against unauthorized access
• Availability: System operational availability as committed
• Processing Integrity: Complete, valid, accurate, timely processing
• Confidentiality: Protection of confidential information
• Privacy: Personal information collection, use, retention, and disposal

Certificate Number: ISO27001-2024-SS-001

Certification Body: BSI Group

Valid Until: August 2027

Our Information Security Management System (ISMS) covers:

• Risk assessment and treatment processes
• Security policies and procedures
• Incident response and business continuity
• Access control and identity management
• Cryptographic controls and key management

Additional cloud-specific security controls including:

• Cloud service customer data protection
• Segregation of cloud environments
• Virtual network access control
• Secure disposal of cloud resources

Specialized privacy controls for cloud services:

• Consent and choice mechanisms
• Purpose limitation and data minimization
• Transparency and communication
• Independent oversight and compliance

Compliance Status: Fully Compliant

Key Implementations:

• Data Protection Impact Assessments (DPIAs)
• Privacy by Design and by Default
• Data Subject Rights Management System
• Breach notification procedures (72-hour requirement)
• Data Processing Records (Article 30)
• Standard Contractual Clauses for international transfers

EU Representative: SealSnap EU Ltd., Dublin, Ireland

Compliance Status: Fully Compliant

Consumer Rights Supported:

• Right to know about personal information collection
• Right to delete personal information
• Right to opt-out of the sale of personal information
• Right to non-discrimination for exercising privacy rights
• Right to correct inaccurate personal information

Compliance Status: HIPAA-Ready (Business Associate Agreements available)

Safeguards Implemented:

• Administrative: Security officer, workforce training, access management
• Physical: Facility access controls, workstation security
• Technical: Access control, audit controls, integrity, transmission security

Compliance with:

• ESIGN Act (US): Electronic Signatures in Global and National Commerce Act
• UETA (US): Uniform Electronic Transactions Act
• eIDAS (EU): Electronic Identification, Authentication and Trust Services
• Electronic Transactions Acts: Various international jurisdictions

• SOX (Sarbanes-Oxley): Financial reporting controls
• GLBA (Gramm-Leach-Bliley): Financial privacy requirements
• PCI DSS: Payment card industry data security standards
• FFIEC Guidelines: Federal financial institutions examination council

• FedRAMP: Federal Risk and Authorization Management Program (In Progress)
• FISMA: Federal Information Security Management Act
• NIST Cybersecurity Framework: Risk-based approach to cybersecurity
• Section 508: Accessibility requirements for federal agencies

• Data in Transit: TLS 1.3 with Perfect Forward Secrecy
• Data at Rest: AES-256 encryption with FIPS 140-2 Level 3 HSMs
• Key Management: AWS KMS with customer-managed keys
• Database Encryption: Transparent Data Encryption (TDE)

• Multi-Factor Authentication: Required for all user accounts
• Role-Based Access Control: Principle of least privilege
• Single Sign-On: SAML 2.0 and OpenID Connect support
• Privileged Access Management: Just-in-time access for administrators

• Web Application Firewall: AWS WAF with custom rules
• DDoS Protection: AWS Shield Advanced
• Network Segmentation: VPC with private subnets
• Intrusion Detection: 24/7 monitoring with SIEM

• Security Information and Event Management (SIEM): Splunk Enterprise
• Vulnerability Scanning: Weekly automated scans
• Penetration Testing: Quarterly by third-party security firms
• Compliance Monitoring: Automated compliance checks

Comprehensive logging of:

• User authentication and authorization events
• Data access and modification activities
• System configuration changes
• Security events and incidents
• Administrative actions

Retention Period: 7 years for audit logs

• Uptime SLA: 99.9% availability guarantee
• Recovery Time Objective (RTO): 4 hours
• Recovery Point Objective (RPO): 1 hour
• Support Response: 1 hour for critical issues

• Automated Backups: Every 6 hours with point-in-time recovery
• Geographic Redundancy: Multi-region data replication
• Disaster Recovery Testing: Quarterly DR drills
• Business Continuity Plan: Annually updated and tested

All third-party vendors undergo:

• Security questionnaire and risk assessment
• Contractual security requirements
• Regular security reviews and audits
• Incident notification requirements

• Cloud Infrastructure: Amazon Web Services (AWS)
• CDN and Security: Cloudflare
• Monitoring: Datadog, Splunk
• Identity Management: Auth0

• 24/7 Security Operations Center (SOC)
• Incident Commander: Chief Security Officer
• Response Time: 15 minutes for critical incidents
• Communication: Customer notification within 2 hours

• Critical: Data breach, service outage affecting >50% users
• High: Security vulnerability, service degradation
• Medium: Performance issues, minor security events
• Low: Informational events, planned maintenance

• New Employee Training: Security awareness within first week
• Annual Training: Mandatory security and privacy training
• Phishing Simulation: Monthly simulated phishing tests
• Role-Specific Training: Additional training for privileged users

Enterprise customers can request:

• SOC 2 Type II Report
• ISO 27001 Certificate
• Penetration Testing Summary
• Security Questionnaire Responses
• Data Processing Addendum (DPA)
• Business Associate Agreement (BAA)

Chief Compliance Officer: compliance@sealsnap.net

Data Protection Officer: contact@sealsnap.net

Security Team: contact@sealsnap.net

Privacy Team: contact@sealsnap.net