Skip to content

Compliance

Which regulatory requirements we meet and how we support yours.

Our certifications

Standard Status
GDPR (EU) ✅ Compliant
ISO 27001 🚧 Audit Q4 2026, certification Q1 2027
SOC 2 Type II 🚧 Audit period Q3 2026, report Q1 2027
CCPA (California) ✅ Compliant
HIPAA (US healthcare) ❌ Not applicable (we don't process client PHI)
PCI DSS ❌ Not applicable (we don't process payment data — Stripe does)

GDPR

As data controller of your users, you're responsible for compliance with regulators. As your data processor we meet GDPR requirements:

  • Lawful basis: we don't process your clients' personal data without your instruction.
  • Data minimization: we collect only what's necessary for the platform to function.
  • Right of access: you can export all your data via UI or API.
  • Right of erasure: deletion on request, 30 days.
  • Right of rectification: any field is editable via UI.
  • Right to object: opt-out from marketing communications.
  • Data Protection Impact Assessment (DPIA): conducted, available on Enterprise request.

Data Processing Agreement (DPA)

A separate contract signed alongside the main agreement:

  • Defines party roles (data controller vs processor).
  • Lists sub-processors with their roles.
  • Technical and organizational security measures.
  • Breach procedures.

DPA template: https://bcp.bytecode.team/legal/dpa. Sign request: legal@bytecode.team.

ISO 27001

Certification process started in Q1 2026. Expected certification — Q1 2027.

For now we operate under ISO 27001 controls without formal audit:

  • Information Security Management System (ISMS).
  • Risk assessment.
  • Access controls.
  • Cryptography policies.
  • Operations security.
  • Communications security.
  • Supplier relationship management.
  • Incident management.
  • Business continuity.

Statement of Applicability — available to Enterprise clients under NDA.

SOC 2

Type II audit scheduled for Q3 2026 (6-month audit period), report — Q1 2027.

For now we self-assess against Trust Service Criteria:

  • Security (CC1-CC9).
  • Availability (A1).
  • Confidentiality (C1).
  • Privacy (P1-P9).

Bridge letter / interim assessment — on request.

Customer-facing compliance

We help you meet your own regulatory requirements:

GDPR for your users

  • Findings often contain personal data (email addresses) — we treat them as your controlled data.
  • DPA with us covers their processing.
  • Right of erasure: delete any finding in one click.

SOC 2 / ISO 27001 (you as a vendor)

  • Audit logs of the platform — evidence for monitoring controls.
  • Reports — evidence for risk management controls.
  • Compliance templates (Q4 2026) — preconfigured reports for specific standards.

PCI DSS (if you're a payment processor)

  • The platform helps with Requirement 6.6 (monitoring of public-facing web apps).
  • Documentation about our role in your PCI scope — on request.

Auditor requests

If your auditor needs information about our platform:

  1. Contact: compliance@bytecode.team.
  2. NDA signing.
  3. Access to:
  4. Security questionnaires (SIG, CAIQ).
  5. Penetration test report.
  6. SOC 2 / ISO docs (when ready).
  7. Architecture diagrams.

Typical SLA on response — 5 business days.

Penetration testing

  • External pentests: annually, by independent vendors.
  • Bug bounty: open program on HackerOne (bytecode-team).
  • Internal red team: quarterly exercises.
  • Reports: summary available to clients, full report — Enterprise under NDA.

Vulnerability disclosure

If you found a security issue:

90-day disclosure timeline (standard), shorter for critical.