Back to Home

Compliance

Our commitment to regulatory compliance

Our Compliance Framework

PersonalFreedom.AI maintains a comprehensive compliance program that meets and exceeds industry standards and regulatory requirements worldwide. Our commitment to compliance ensures your data is handled with the highest standards of care and protection.

1. Data Protection Regulations

GDPR (General Data Protection Regulation)

Applies to: All users in the European Union and European Economic Area

Your Rights Under GDPR:

  • Right to Access - Obtain a copy of your personal data
  • Right to Rectification - Correct inaccurate personal data
  • Right to Erasure - Request deletion of your data ("right to be forgotten")
  • Right to Portability - Transfer your data to another service
  • Right to Object - Opt-out of certain processing activities
  • Right to Restrict Processing - Limit how we use your data
  • Right to Withdraw Consent - Change your mind about data processing

How We Comply:

  • Privacy by Design in all our products and services
  • Data Protection Officer appointed and available
  • Data Processing Agreements with all sub-processors
  • Regular Data Protection Impact Assessments (DPIA)
  • 72-hour breach notification commitment
  • Lawful basis documented for all processing

CCPA (California Consumer Privacy Act)

Applies to: California residents

Your Rights Under CCPA:

  • Right to Know - What personal information we collect and how we use it
  • Right to Delete - Request deletion of your personal information
  • Right to Opt-Out - Prevent sale of your personal information (we don't sell data)
  • Right to Non-Discrimination - Equal service regardless of privacy choices
  • Right to Correct - Fix inaccurate personal information

How We Comply:

  • Clear privacy notices at point of collection
  • Easy-to-use privacy rights request system
  • No sale of personal information to third parties
  • Annual privacy training for all employees
  • Verified consumer request process

Other Regional Regulations

  • LGPD (Brazil) - Full compliance with Brazilian data protection law
  • PIPEDA (Canada) - Canadian privacy law compliance
  • PDPA (Singapore) - Singapore data protection compliance
  • Privacy Act (Australia) - Australian privacy principles adherence
  • UK GDPR - Post-Brexit UK data protection compliance

2. Industry-Specific Compliance

HIPAA (Health Insurance Portability and Accountability Act)

For Healthcare Customers

Safeguards We Implement:

  • Administrative Safeguards
    • Security Officer designation
    • Workforce training and access management
    • Risk assessments and management
    • Business Associate Agreements (BAA) available
  • Physical Safeguards
    • Facility access controls
    • Workstation security
    • Device and media controls
  • Technical Safeguards
    • Access controls and unique user identification
    • Encryption and decryption
    • Audit logs and integrity controls
    • Transmission security

PCI DSS (Payment Card Industry Data Security Standard)

For Payment Processing

Level 1 Compliance Measures:

  • Never store sensitive cardholder data
  • Use PCI-compliant payment processors
  • Network segmentation and firewall protection
  • Regular security testing and monitoring
  • Strong access control measures
  • Annual compliance validation

FERPA (Family Educational Rights and Privacy Act)

For Educational Institutions

  • Protection of student education records
  • Parental access rights support
  • Directory information controls
  • Consent management for disclosures

3. Security Certifications

SOC 2 Type II

Annual Audit Coverage:

  • Security - Protection against unauthorized access
  • Availability - System uptime and performance
  • Processing Integrity - Accurate and complete processing
  • Confidentiality - Protection of confidential information
  • Privacy - Personal information handling

ISO 27001

Information Security Management System:

  • Risk-based approach to security
  • Continuous improvement process
  • 114 security controls implemented
  • Annual surveillance audits
  • Triennial recertification

ISO 27701

Privacy Information Management:

  • Extension of ISO 27001 for privacy
  • GDPR and CCPA alignment
  • Privacy controls and processes
  • Data subject rights management

4. Data Governance

Data Classification

  • Public - Marketing materials, public documentation
  • Internal - Internal communications, procedures
  • Confidential - Customer data, business plans
  • Restricted - PII, PHI, payment information

Data Lifecycle Management

  • Collection - Minimal data, clear purpose
  • Processing - Lawful basis, limited use
  • Storage - Encrypted, access controlled
  • Sharing - Need-to-know, agreements in place
  • Retention - Time-limited, documented
  • Deletion - Secure, irreversible

5. Cross-Border Data Transfers

Transfer Mechanisms

  • Standard Contractual Clauses (SCCs) - EU-approved transfer mechanism
  • Adequacy Decisions - Transfers to approved countries
  • Binding Corporate Rules - For intra-group transfers
  • Consent - Explicit consent where appropriate

Data Residency Options

  • US data centers (primary)
  • EU data centers (available)
  • Asia-Pacific data centers (available)
  • Custom deployment for specific requirements

6. Vendor and Third-Party Compliance

Vendor Assessment

  • Security questionnaires for all vendors
  • Compliance certification verification
  • Data Processing Agreements required
  • Regular audit rights
  • Annual review process

Sub-Processor List

We maintain a current list of sub-processors:

  • Cloud Infrastructure - AWS, Google Cloud, Azure
  • Payment Processing - Stripe (PCI compliant)
  • Email Services - SendGrid (SOC 2 compliant)
  • Analytics - Privacy-focused, GDPR compliant

7. Audit and Assessment

Internal Audits

  • Quarterly compliance reviews
  • Monthly security assessments
  • Annual risk assessments
  • Continuous monitoring and improvement

External Audits

  • Annual SOC 2 Type II audit
  • ISO 27001/27701 surveillance audits
  • Customer audit rights (Enterprise)
  • Regulatory examinations as required

8. Privacy Rights Management

Request Process

Submit privacy rights requests through:

  • Account dashboard (self-service)
  • Submit requests through our secure contact form
  • API for programmatic requests

Response Timeline

  • Acknowledgment - Within 48 hours
  • Verification - Within 5 business days
  • Fulfillment - Within 30 days (45 days for complex requests)
  • Appeals - Available if request denied

9. Breach Response

Incident Response Plan

  • Detection - Continuous monitoring and alerting
  • Assessment - Immediate impact analysis
  • Containment - Stop and prevent further damage
  • Notification - Users and regulators as required
  • Recovery - Restore normal operations
  • Lessons Learned - Improve based on incident

Notification Commitments

  • GDPR: Within 72 hours to authorities
  • CCPA: Without unreasonable delay
  • HIPAA: Within 60 days to affected individuals
  • Other: As required by applicable law

10. Training and Awareness

Employee Training

  • Annual compliance training for all staff
  • Role-specific privacy training
  • Security awareness programs
  • Regular updates on new regulations
  • Testing and certification requirements

Customer Resources

  • Compliance documentation portal
  • Privacy and security best practices
  • Webinars and training materials
  • Regular compliance updates

11. Transparency and Accountability

Public Commitments

  • Annual transparency report
  • Government request disclosures
  • Security incident statistics
  • Compliance certification status

Accountability Measures

  • Data Protection Officer appointed
  • Privacy Board oversight
  • Regular compliance reporting
  • Independent third-party audits

12. Special Programs

Privacy Shield (Where Applicable)

  • Self-certification maintained
  • Dispute resolution process
  • Cooperation with DPAs
  • Liability for onward transfers

Government Access

  • Transparency about government requests
  • Challenge unlawful requests
  • Minimize data disclosure
  • User notification where permitted

Contact Our Compliance Team

For compliance-related inquiries, certifications, or audit requests:

  • Contact: Use our secure contact form
  • Data Protection Officer: Available at same email
  • Response Time: Within 2 business days
  • Audit Requests: Enterprise customers only

Available Documentation

  • SOC 2 Type II Report (NDA required)
  • ISO 27001/27701 Certificates
  • HIPAA Compliance Attestation
  • Data Processing Agreement (DPA)
  • Business Associate Agreement (BAA)
  • Security Whitepaper
  • Privacy Impact Assessments