Compliance is how we ship — not a quarterly project.
We've worked in regulated industries since 2001. The frameworks below are built into the platform's data layer, not patched on at audit time. New tenants inherit the posture; new features ship against it by default.
Annual audit. Trust services criteria across security, availability, processing integrity, confidentiality, privacy.
BAA available. PHI handling, encryption, access logging, 7-year audit retention on Pro/Enterprise tiers.
3-year audit retention default. Directory-information controls. Education-records lifecycle managed end-to-end.
Tokenized card handling. SAQ-A scope for merchants. End-to-end through Stripe, Authorize.Net, and Worldpay integrations.
Data residency options. Right-to-erasure workflows. Lawful basis tracking per tenant.
Consumer rights workflows: access, deletion, opt-out. Sale/sharing toggle per tenant.
K-12 youth-data handling. Parental consent flows. Age-gated UX patterns.
Level 2 path for federal credentialing partners. Targeting 2026 attestation.
CSF certification on the same path as FedRAMP Moderate.
What this looks like in practice
A K-12 tenant boots with FERPA + COPPA defaults. A clinic boots with HIPAA + state-specific. Same platform, different posture.
Every read, write, export, and admin action is logged with cryptographic chaining. Auditors get raw exports; we don't curate.
Pen test reports, SOC 2 attestations, BAAs, and DPA templates shared under NDA after second meeting. No marketing fluff.