Compliance¶
Which regulatory requirements we meet and how we support yours.
Our certifications¶
| Standard | Status |
|---|---|
| GDPR (EU) | ✅ Compliant |
| ISO 27001 | 🚧 Audit Q4 2026, certification Q1 2027 |
| SOC 2 Type II | 🚧 Audit period Q3 2026, report Q1 2027 |
| CCPA (California) | ✅ Compliant |
| HIPAA (US healthcare) | ❌ Not applicable (we don't process client PHI) |
| PCI DSS | ❌ Not applicable (we don't process payment data — Stripe does) |
GDPR¶
As data controller of your users, you're responsible for compliance with regulators. As your data processor we meet GDPR requirements:
- Lawful basis: we don't process your clients' personal data without your instruction.
- Data minimization: we collect only what's necessary for the platform to function.
- Right of access: you can export all your data via UI or API.
- Right of erasure: deletion on request, 30 days.
- Right of rectification: any field is editable via UI.
- Right to object: opt-out from marketing communications.
- Data Protection Impact Assessment (DPIA): conducted, available on Enterprise request.
Data Processing Agreement (DPA)¶
A separate contract signed alongside the main agreement:
- Defines party roles (data controller vs processor).
- Lists sub-processors with their roles.
- Technical and organizational security measures.
- Breach procedures.
DPA template: https://bcp.bytecode.team/legal/dpa. Sign request: legal@bytecode.team.
ISO 27001¶
Certification process started in Q1 2026. Expected certification — Q1 2027.
For now we operate under ISO 27001 controls without formal audit:
- Information Security Management System (ISMS).
- Risk assessment.
- Access controls.
- Cryptography policies.
- Operations security.
- Communications security.
- Supplier relationship management.
- Incident management.
- Business continuity.
Statement of Applicability — available to Enterprise clients under NDA.
SOC 2¶
Type II audit scheduled for Q3 2026 (6-month audit period), report — Q1 2027.
For now we self-assess against Trust Service Criteria:
- Security (CC1-CC9).
- Availability (A1).
- Confidentiality (C1).
- Privacy (P1-P9).
Bridge letter / interim assessment — on request.
Customer-facing compliance¶
We help you meet your own regulatory requirements:
GDPR for your users¶
- Findings often contain personal data (email addresses) — we treat them as your controlled data.
- DPA with us covers their processing.
- Right of erasure: delete any finding in one click.
SOC 2 / ISO 27001 (you as a vendor)¶
- Audit logs of the platform — evidence for monitoring controls.
- Reports — evidence for risk management controls.
- Compliance templates (Q4 2026) — preconfigured reports for specific standards.
PCI DSS (if you're a payment processor)¶
- The platform helps with Requirement 6.6 (monitoring of public-facing web apps).
- Documentation about our role in your PCI scope — on request.
Auditor requests¶
If your auditor needs information about our platform:
- Contact:
compliance@bytecode.team. - NDA signing.
- Access to:
- Security questionnaires (SIG, CAIQ).
- Penetration test report.
- SOC 2 / ISO docs (when ready).
- Architecture diagrams.
Typical SLA on response — 5 business days.
Penetration testing¶
- External pentests: annually, by independent vendors.
- Bug bounty: open program on HackerOne (
bytecode-team). - Internal red team: quarterly exercises.
- Reports: summary available to clients, full report — Enterprise under NDA.
Vulnerability disclosure¶
If you found a security issue:
- Email:
security@bytecode.team. - PGP key: https://bcp.bytecode.team/.well-known/security.txt.
- Bug bounty: https://hackerone.com/bytecode-team.
90-day disclosure timeline (standard), shorter for critical.