Drite operates in financial services and handles sensitive business data, which means we are subject to a range of regulatory and certification requirements. This page describes our current compliance posture and roadmap during early access.
1. SOC 2 Type II
We are actively pursuing SOC 2 Type II certification, audited against the Trust Services Criteria for Security, Availability, Confidentiality, and Privacy. Our internal controls cover access management, change management, system operations, vendor management, and incident response.
Status: in progress.
2. GDPR (EU + UK)
Drite supports the rights granted by the General Data Protection Regulation, including access, rectification, erasure, restriction, portability, and objection. Customers acting as data controllers can sign a Data Processing Agreement (DPA) with us. International transfers are protected by Standard Contractual Clauses where required.
Status: DPA available on request.
3. CCPA / CPRA (California)
We honor the rights granted by the California Consumer Privacy Act and California Privacy Rights Act, including the right to know, delete, correct, and opt out of "sales" or "sharing" of personal information. We do not sell personal information.
4. PCI DSS
We do not store raw card numbers (Primary Account Numbers). All card data is tokenized via PCI DSS Level 1 certified payment processors. This minimizes our PCI scope and reduces risk to our customers.
5. HIPAA (healthcare)
Drite is preparing a Business Associate Agreement (BAA) for healthcare customers. The audit-service, access controls, and encryption requirements needed for HIPAA-covered workloads are part of our roadmap before we open the healthcare vertical to general availability.
Status: planned.
6. KYB / KYC and AML
Customers using Drite's banking, payment, or payroll features are subject to Know-Your-Business (KYB), Know-Your-Customer (KYC), Anti-Money-Laundering (AML), and Counter-Terrorism Financing (CTF) requirements imposed by our financial partners and applicable law. We collect business registration documents, beneficial owner information, and government-issued ID where required.
7. Sanctions screening
We screen customers and counterparties against major sanctions lists (OFAC SDN, EU Consolidated List, UK HMT, UN, and others). We do not provide service to sanctioned entities or individuals.
8. Subprocessors
Drite uses a small set of vetted subprocessors to deliver the Service. The list is maintained publicly and updated when it changes. Customers under DPA receive 30 days' notice of new subprocessors with the right to object. Email compliance@drite.io for the current list.
9. Data residency
During early access, customer data is hosted in the United States. We plan to offer regional data residency (EU, LATAM) as we scale.
10. Audit log and data export
Every action across the platform is recorded in an append-only audit log scoped to your organization. You can export your data at any time in machine-readable formats. We never lock customer data.
11. Reporting and contact
Compliance questions, DPA requests, and subprocessor list requests: compliance@drite.io.