Compliance posture
What we comply with. What we're working toward.
Concrete, dated, honest. No "ISO-aligned" or "SOC2-ready" weasel-wording — those phrases mean nothing without an attestation. Snapshot 2026-05-20.
Current posture
Where we stand today.
| Framework | Status | Evidence |
|---|---|---|
| GDPR (EU 2016/679) | Substantively compliant | Privacy notice, DPA template, sub-processor list, breach response process, data-subject request channel. See /dpa/. |
| UK-GDPR & Data Protection Act 2018 | Substantively compliant | UK Addendum to SCCs in DPA, ICO-style data-subject rights process. |
| KVKK (Türkiye, Law 6698) | Substantively compliant | Lawful basis documented, cross-border transfer assessment performed. |
| Azerbaijani Personal Data Law (No. 998-IIIQ) | Substantively compliant | Local establishment, processing register maintained. |
| SOC 2 Type II | Not yet attested | Controls in place (see /controls/), Type I scoping discussion under way. No SOC 2 audit report exists yet. |
| ISO/IEC 27001:2022 | Not yet certified | ISMS scope drafted, Statement of Applicability in draft. No certificate exists yet. |
| PCI DSS | Out of scope | Card data never reaches Aevrix infrastructure — Lemon Squeezy is our Merchant of Record. See /sub-processors/. |
| HIPAA | Out of scope | We do not process PHI and do not enter into Business Associate Agreements. |
Roadmap
What we're working toward.
- SOC 2 Type I readiness assessment after first enterprise customer signed under contract.
- SOC 2 Type II attestation 12 months after Type I, conditional on commercial demand.
- ISO/IEC 27001 certification after SOC 2 stack, only if EU enterprise demand justifies the cost.
- Independent penetration testing annually once a paying enterprise customer is on contract.
We don't pursue compliance for its own sake. We pursue it when the customer market we serve genuinely requires it. The controls themselves (/controls/) are independent of the attestation status.
Audit-on-request
While we wait for formal audits.
Enterprise prospects can request a directed assessment under signed NDA: walkthrough of our controls catalogue, review of our deployment pipelines, evidence sampling, sub-processor flow review. Reasonable notice and scope. We will not allow live production probing without coordination with our on-call rotation.
Vendor risk questionnaires
The shortcut.
- SIG Lite, SIG Core, CAIQ: on request under NDA. Allow two business weeks for completion.
- Custom security questionnaires: we'll do them. Allow more time for very long ones.
- Whistic / Vanta Trust / OneTrust Vendorpedia: we don't currently maintain pre-published profiles on these platforms.
Need answers fast?
Direct line to compliance. Real human, two business days.