Compliance Frameworks actively reviews the landscape of compliance frameworks and audit regimes. This page provides relevant information about how various compliance frameworks apply to your use of Please note that individual facts and circumstances are important to understanding how any given framework may apply to you.

SOC 2 Type II

Our most recent engagement for SOC 2 Type II audit began October 1, 2022 and ended March 31, 2023, with the final report provided on May 31st, 2023. We conduct a SOC 2 audit annually, and our SOC 2 auditor is Kirkpatrick Price.

In addition to this engagement, has successfully accomplished several prior SOC 2 engagements with Kirkpatrick Price.

We are happy to provide our customers or prospects with our SOC 2 report. Contact your Account Executive or Account Manager to obtain the latest SOC 2 report.

Will Be Storing Data Subject To PCI/HIPAA/GDPR is not in a position to know what data you are storing in the platform. This understanding and proper data classification is the responsibility of the customer. Please refer to the Shared Responsibility Model for more information.

Federal Privacy Regulations provides world class tools that allow customers to assist in meeting their legal, regulatory and contractual obligations. Please reference the provided Shared Responsibility Model for more details.

Children's Online Privacy Protection Act (COPPA) is not intended for use by children, especially those under 13. We do not knowingly collect personally identifiable information from children under 18 years of age.

Health Insurance Portability and Accountability Act (HIPAA) / Business Associate Agreement (BAA) has many customers who are subject to the Health Insurance Portability and Accountability Act (HIPAA). As such, we are aware of the relevant requirements and have designed our service to be compatible with many customer scenarios requiring HIPAA compliance. offers a pre-written and pre-approved Business Associate Agreement ("BAA") that it will execute for any customer on a Premier or Enterprise plan. BAAs and HIPAA compliance are not available on the Starter or Power plan levels.

Our HIPAA BAA requires that you will comply with the instructions in our Configuring For Maximum Security document.

General Data Protection Regulation (GDPR) / Data Protection Agreement (DPA) is compliant with General Data Protection Regulation (GDPR). offers a pre-written and pre-approved Data Protection Agreement (DPA) that it will execute for any customer requiring a DPA under GDPR.

Privacy Shield Framework is self-certified under the Privacy Shield framework.

The Privacy Shield Self-Certification can be viewed here.

International Traffic in Arms Regulations (ITAR)

ITAR is the International Traffic in Arms Regulations, which is a set of United States government regulations that control the export and import of defense-related articles and services on the United States Munitions List (USML) and related technical data. ITAR requires, in relevant part, that covered material (items listed on the USML) only be shared with U.S. persons absent special authorization or exemption.

Unlike SOC 2, there is no formal ITAR certification process. Because heavily relies on AWS and does not make use of the GovCloud capabilities of AWS, is unable to assert ITAR compliance.

Payment Card Industry (PCI)

All credit card information provided to us by our customers is stored in a highly secure, PCI-compliant system by our payment vendors Braintree Payment Solutions and PayPal.

PCI is the Payment Card Industry standard for cardholder data security. Our billing and signup processes are also PCI-compliant.

This should not be misunderstood to mean that our customers may store payment card data in The Terms of Service disallows the service to be used for that use case.

ISO 27001

ISO 27001 is a framework governing information security. is not currently ISO 27001 certified, however, we plan to complete an ISO 27001 certification in the future.'s Information Security Program ("InfoSec Program") is based on SSAE-18 SOC 2 and COBIT 5 Framework and covers the platform and our company as a whole. has participated in multiple SOC 2 engagements with Kirkpatrick Price which were successfully completed. Please reference our latest SOC 2 report for more details.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is a Canadian federal data privacy law that governs the collection, use, and disclosure of personal information in the course of commercial business within Canada, including international and interprovincial transfers of personal information.

The law applies in all provinces, except for those that have substantially similar privacy laws.

Customers are responsible for determining the application of PIPEDA and complying with it, however, has numerous settings and features to assist with that compliance.

National Defense Authorization Act Section 889 (NDAA Section 889) is compliant with NDAA Section 889.

Section 889 of the 2019 National Defense Authorization Act (NDAA) prohibits US federal government agencies, contractors, and grant and loan recipients from using or procuring certain covered telecommunications, video, or surveillance equipment or services. Such covered equipment or services are those from specific companies, including their subsidiaries and affiliates.

FIPS 140-3

FIPS 140-3, which replaced FIPS 140-2, is required under multiple compliance regimes, such as Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Management Act of 2002 (FISMA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). is planning to launch FIPS 140-3 compliant endpoints in 2024.

Federal Risk and Authorization Management Program (FedRAMP)

The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to provide parameters for the adoption and use of cloud services by the federal government. is not FedRAMP authorized.

We have, however, successfully completed multiple SOC 2 audits; please reference our latest SOC 2 report for more details.

Americans with Disabilities Act (ADA) and Voluntary Product Accessibility Template (VPAT) is proud to be compliant with the Americans with Disabilities Act (ADA).

We understand the importance of accessibility and are committed to ensuring that our platform is accessible to all users, including those with disabilities.

As part of this commitment, we have prepared an audited Voluntary Product Accessibility Template (VPAT) report based on the Web Content Accessibility Guidelines (WCAG).

Contact your Account Executive or Customer Support to obtain the latest VPAT report.

GxP and Food and Drug Administration (FDA) 21 CFR Part 11

GxP and related acronyms refer to regulations and quality guidelines in the life sciences industry maintained by the Food and Drug Administration (FDA) in the United States and similar organizations in other countries. These acronyms stand for "Good [x] Practices", such as Good Manufacturing Practices (GMP), Good Laboratory Practices (GLP), etc.

21 CFR Part 11 refers to part 11 of Title 21 of the Code of Federal Regulations, which is a regulatory document about Electronic Records and Electronic Signatures. provides tools and controls that allow to be used within organizations that are complying with FDA 21 CFR Part 11, however proper controls, configuration, and validation of the configuration are the responsibility of the customer.

Please refer to the Shared Responsibility Model for more information.

Other Compliance Frameworks actively reviews the landscape of compliance frameworks and audit regimes. If your organization has a specific certification or compliance need, please reach out to us, and we are happy to explore the opportunity.

Get Instant Access to

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.

Start My Free Trial

©2023 All right reserved


  • Start My Free Trial
  • Pricing
  • Docs
  • API and SDKs
  • Contact


(800) 286-8372


9am–8pm Eastern