Compliance
AiSpendTrack’s compliance with industry standards and regulations.
GDPR Compliance
We are fully compliant with the General Data Protection Regulation (GDPR).
Your Rights
Under GDPR, you have:
Right to Access
- View all your data at any time
- Export in machine-readable format (CSV, JSON)
- Available in dashboard: Settings → Export Data
Right to Deletion
- Request account deletion anytime
- Data deleted within 30 days
- Available in dashboard: Settings → Delete Account
Right to Portability
- Export all data in standard formats
- Take your data to another service
- No lock-in
Right to Rectification
- Correct inaccurate data
- Update account information
- Contact support for data corrections
Right to Object
- Object to data processing
- Opt-out of analytics (Pro+)
- Contact: privacy@aispendtrack.com
Data Processing
Legal Basis:
- Contract performance (providing the service)
- Legitimate interest (improving the product)
- Consent (marketing communications)
Data Processor Agreement: Available for Enterprise customers. Contact sales@aispendtrack.com.
Data Transfers
Primary region: United States (AWS US-East-1)
EU customers:
- Data can be stored in EU region (Enterprise)
- Standard Contractual Clauses (SCCs) available
- GDPR-compliant subprocessors
Subprocessors
We use these GDPR-compliant subprocessors:
| Service | Purpose | Location |
|---|---|---|
| Railway | Proxy hosting | US |
| Neon | Database | US |
| Vercel | Dashboard hosting | Global CDN |
| Clerk | Authentication | US |
| Resend | Email delivery | US |
Full list: aispendtrack.com/subprocessors
SOC 2 Type II
Our infrastructure providers are SOC 2 Type II certified:
Certified providers:
- ✅ Railway (proxy hosting)
- ✅ Neon (database)
- ✅ Vercel (frontend hosting)
- ✅ Clerk (authentication)
Our SOC 2 status:
- In progress (expected Q3 2024)
- Will cover: Security, Availability, Confidentiality
- Annual audits
SOC 2 reports available to Enterprise customers under NDA.
ISO 27001
Status: Not yet certified
Timeline:
- Planning: Q2 2024
- Implementation: Q3-Q4 2024
- Certification: Q1 2025
Available for Enterprise customers when complete.
CCPA Compliance
We comply with the California Consumer Privacy Act (CCPA).
Your rights:
- Right to know what data we collect
- Right to delete your data
- Right to opt-out of data sales (we don’t sell data)
- Right to non-discrimination
How to exercise rights:
- Email: privacy@aispendtrack.com
- Dashboard: Settings → Privacy
- Response time: 30 days maximum
HIPAA Compliance
Status: Not HIPAA compliant
Do not use AiSpendTrack for protected health information (PHI). We are not HIPAA compliant.
Enterprise HIPAA: Contact sales@aispendtrack.com for HIPAA-compliant deployment.
PCI DSS
We do not handle credit cards directly.
Payment processing:
- Stripe (PCI DSS Level 1 certified)
- We never see or store card numbers
- Fully PCI compliant through Stripe
Data Retention
Active data:
- Free tier: 7 days
- Pro tier: 90 days
- Enterprise: Custom (up to 365 days)
After retention period:
- Individual call records: Deleted
- Aggregate statistics: Retained (anonymized)
Backups:
- Daily backups: 30 days
- Weekly backups: 90 days
- After deletion request: Removed from backups within 30 days
Security Certifications
| Certification | Status | Available |
|---|---|---|
| SOC 2 Type II | In Progress | Q3 2024 |
| ISO 27001 | Planned | Q1 2025 |
| GDPR | Compliant | Now |
| CCPA | Compliant | Now |
| HIPAA | Not Certified | Enterprise Only |
Penetration Testing
Frequency: Annually
Last test: January 2024
Scope:
- Web applications (dashboard, admin)
- API endpoints
- Authentication systems
Findings:
- All critical/high issues resolved
- Report available to Enterprise customers
Next test: January 2025
Vulnerability Disclosure
Report vulnerabilities:
- Email: security@aispendtrack.com
- PGP key: Available on request
Response SLAs:
- Critical: 24 hours
- High: 72 hours
- Medium: 7 days
- Low: 30 days
Bug bounty:
- Coming soon (Q2 2024)
- Managed through HackerOne
Compliance Support
For Enterprise customers:
- Custom DPAs (Data Processing Agreements)
- BAAs (Business Associate Agreements)
- SCCs (Standard Contractual Clauses)
- Security questionnaire responses
- Compliance documentation
- Audit support
Contact sales@aispendtrack.com
Compliance Roadmap
2024 Q2:
- SOC 2 Type II certification
- Bug bounty program launch
- Enhanced audit logging
2024 Q3-Q4:
- ISO 27001 implementation
- HIPAA compliance (Enterprise)
- Regional data residency (EU)
2025:
- ISO 27001 certification
- Additional regional hosting
- Industry-specific compliance (FedRAMP, etc.)
Audit Logs
Pro tier:
- User activity logs (30 days)
- API access logs (30 days)
Enterprise tier:
- Full audit trail (365 days)
- Admin action logs
- Data access logs
- Export to SIEM
Questions?
- Email: compliance@aispendtrack.com
- Privacy: privacy@aispendtrack.com
- Security: security@aispendtrack.com