What we comply with, what we don't, and what's next.
One page so you can run a vendor-risk review without back-and-forth. The privacy notice and security page carry the operational detail; this page is the index.
Regulations & standards
Things we comply with today carry a link to the operational evidence. Things we don't have yet sit in Roadmap with a target window — we'd rather be late than misrepresent.
| Regulation / Standard | Status | Detail |
|---|---|---|
| GDPR (EU) | Compliant | Greek/EU establishment. Lead supervisory authority: Hellenic DPA. Lawful basis, transfer mechanisms, and the eight data-subject rights are documented in the privacy notice. |
| UK GDPR | Compliant | Mirrors the EU GDPR posture. The DPA template incorporates the UK ICO Addendum to SCCs for transfers in scope of UK law. |
| CCPA / CPRA (California) | Compliant | We honour California consumer rights (know, delete, correct, opt-out of sale/share — though we don't sell or share). Email privacy@chainkit.dev for a request. |
| ePrivacy (cookie law) | Compliant | One first-party strictly-necessary session cookie; no third-party trackers; no consent banner required today. If we add analytics, we'll add consent first. |
| SOC 2 Type II | Roadmap | Target window: 2027 H2. Pre-audit hardening (access reviews, change-management, formal incident response) is in progress. Until the report exists, the security page documents what we run today. |
| ISO 27001 | Roadmap | Target: 2028, following SOC 2. Most ISO 27001 Annex A controls overlap with SOC 2 work. |
| HIPAA | Out of scope | We do not process Protected Health Information. If your application would push PHI in telemetry, do not use chainkit cloud. |
| PCI-DSS | Out of scope | Card data never reaches us — Stripe handles all payment surfaces directly. We hold a Stripe customer id and a subscription id, nothing else. |
DPA template
Our DPA covers all GDPR Article 28 obligations: documented-instructions processing, confidentiality, Article 32 security measures, subprocessor authorisation with 30-day prior notice, assistance with data-subject requests, 48-hour breach notification to the Controller, return-or-deletion on termination, audit rights, and SCCs (Module 2) for cross-border transfers.
The current version is a draft pending counsel review — the structure is final, the language is being tightened. Email privacy@chainkit.dev to request a counter-signed copy for your vendor file.
Source-controlled internally so changes are auditable in git. Draft pending counsel sign-off; once stable, we'll publish the final version on this page directly.
Request a copyWho else touches your data
The shortlist of vendors that process customer Personal Data on chainkit's behalf. We notify account owners by email at least 30 days before adding a new one, so you have time to object.
| Subprocessor | Purpose | Location | Transfer basis |
|---|---|---|---|
| njalla | VPS hosting (Postgres, Redis, application binaries) | Sweden (EU/EEA) | EEA — no transfer mechanism required |
| Mailgun | Transactional email (verification, password reset, invitations) | United States | SCCs (2021/914 Module 2) + EU-US Data Privacy Framework |
| Stripe | Billing — engages when paid plans launch | United States / Ireland | SCCs (2021/914 Module 2) + EU-US Data Privacy Framework |
EU → US transfers
Production infrastructure runs in the EEA (Sweden). The two US-based subprocessors above (Mailgun, Stripe) receive Personal Data under the same dual basis: Standard Contractual Clauses (Module 2, 2021/914) and EU-US Data Privacy Framework certification.
On request to privacy@chainkit.dev we'll share the relevant SCCs, our Transfer Impact Assessment, and the latest DPF self-certifications for each vendor.
Found something?
Email security@chainkit.dev. We acknowledge within one business day and aim for triage within five.
For breaches affecting Personal Data of EU data subjects we notify the Hellenic DPA within 72 hours under GDPR Article 33 and notify affected customers without undue delay under Article 34.
The full set
The companion documents that back what's on this page are source-controlled internally so changes are auditable in git. We send the current counter-signed versions to anyone running a vendor-risk review — typically the same business day.
- Records of Processing Activities (GDPR Art. 30).
- Breach response runbook (Art. 33 / 34 procedure).
- DPA template (Art. 28).
Safe-harbour
We won't pursue legal action against good-faith security research provided you:
- Don't access or modify data that isn't yours.
- Don't run automated scanners that degrade the service for other users.
- Give us a reasonable window (typically 90 days) to remediate before public disclosure.
- Report through security@chainkit.dev, not social media.
A bug-bounty programme is on the roadmap once we have SOC 2 in flight.