Draft — not legal advice. This document is a placeholder while we finalize our production legal documents with counsel. Use of Drite during early access is governed by the most recent version of this draft.

Trust

Compliance

Last updated: April 7, 2026

Drite operates in financial services and handles sensitive business data, which means we are subject to a range of regulatory and certification requirements. This page describes our current compliance posture and roadmap during early access.

1. SOC 2 Type II

We are actively pursuing SOC 2 Type II certification, audited against the Trust Services Criteria for Security, Availability, Confidentiality, and Privacy. Our internal controls cover access management, change management, system operations, vendor management, and incident response.

Status: in progress.

2. GDPR (EU + UK)

Drite supports the rights granted by the General Data Protection Regulation, including access, rectification, erasure, restriction, portability, and objection. Customers acting as data controllers can sign a Data Processing Agreement (DPA) with us. International transfers are protected by Standard Contractual Clauses where required.

Status: DPA available on request.

3. CCPA / CPRA (California)

We honor the rights granted by the California Consumer Privacy Act and California Privacy Rights Act, including the right to know, delete, correct, and opt out of "sales" or "sharing" of personal information. We do not sell personal information.

4. PCI DSS

We do not store raw card numbers (Primary Account Numbers). All card data is tokenized via PCI DSS Level 1 certified payment processors. This minimizes our PCI scope and reduces risk to our customers.

5. HIPAA (healthcare)

Drite is preparing a Business Associate Agreement (BAA) for healthcare customers. The audit-service, access controls, and encryption requirements needed for HIPAA-covered workloads are part of our roadmap before we open the healthcare vertical to general availability.

Status: planned.

6. KYB / KYC and AML

Customers using Drite's banking, payment, or payroll features are subject to Know-Your-Business (KYB), Know-Your-Customer (KYC), Anti-Money-Laundering (AML), and Counter-Terrorism Financing (CTF) requirements imposed by our financial partners and applicable law. We collect business registration documents, beneficial owner information, and government-issued ID where required.

7. Sanctions screening

We screen customers and counterparties against major sanctions lists (OFAC SDN, EU Consolidated List, UK HMT, UN, and others). We do not provide service to sanctioned entities or individuals.

8. Subprocessors

Drite uses a small set of vetted subprocessors to deliver the Service. The list is maintained publicly and updated when it changes. Customers under DPA receive 30 days' notice of new subprocessors with the right to object. Email compliance@drite.io for the current list.

9. Data residency

During early access, customer data is hosted in the United States. We plan to offer regional data residency (EU, LATAM) as we scale.

10. Audit log and data export

Every action across the platform is recorded in an append-only audit log scoped to your organization. You can export your data at any time in machine-readable formats. We never lock customer data.

11. Reporting and contact

Compliance questions, DPA requests, and subprocessor list requests: compliance@drite.io.