Skip to content
A Top 5 global AI outsourcing company by Outsource Accelerator, above Scale AI.
Trust Center

Security, compliance, and data sovereignty

Every statistic and control here is written to survive an enterprise procurement audit. Where a certification is in progress, we say so, credibility is the product.

Certifications & frameworks

We state only what we hold. Items in progress carry an honest status and target, never claimed as complete.

SOC 2 Type II

Active

SOC 2 Type II controls in place; report available under NDA.

ISO 27001

Active

Information-security management system certified to ISO/IEC 27001.

GDPR

Aligned

Aligned to the EU General Data Protection Regulation; DPA available for every engagement.

EU AI Act

Aligned

Aligned to the EU AI Act's provider obligations and data-governance requirements.

CCPA / CPRA (US)

Aligned

Aligned to California privacy law and applicable US state privacy statutes.

PIPEDA / Law 25 (Canada)

Aligned

Aligned to Canada's PIPEDA and Quebec's Law 25 for personal information.

Privacy Act / APPs (Australia)

Aligned

Aligned to the Australian Privacy Act 1988 and the Australian Privacy Principles.

HIPAA

Available on request

BAA available for qualifying healthcare engagements.

Data residency & sovereignty per hub

Data can be processed in-region to meet residency and sovereignty requirements. Each hub carries its own compliance posture.

HubRegionCompliance postureTimezone
TashkentCentral AsiaGDPR-aligned DPAUTC+5
SamarkandCentral AsiaGDPR-aligned DPAUTC+5
ManilaSoutheast AsiaSOC 2 Type II, ISO 27001, GDPRUTC+8
Ho Chi Minh CitySoutheast AsiaGDPR-aligned DPAUTC+7
AccraWest AfricaGDPR-aligned DPAUTC+0
KampalaEast AfricaGDPR-aligned DPAUTC+3
IstanbulEurope / MENAGDPR, EU AI Act readinessUTC+3
WarsawEuropeGDPR, EU AI Act readinessUTC+1
LahoreSouth AsiaGDPR-aligned DPAUTC+5
NairobiEast AfricaGDPR-aligned DPAUTC+3
Santo DomingoLatin AmericaGDPR-aligned DPAUTC-4
United StatesNorth AmericaSOC 2 Type II, CCPA/CPRAUTC-5 to UTC-8
CanadaNorth AmericaSOC 2 Type II, PIPEDA, Law 25UTC-4 to UTC-8
MexicoLatin AmericaGDPR-aligned DPAUTC-6
United KingdomEuropeUK GDPR, GDPRUTC+0 to UTC+1
AustraliaOceaniaAustralian Privacy Act, APPsUTC+10 to UTC+11

Compliance by jurisdiction

Select a jurisdiction to see the frameworks, data residency, and contracting posture that apply.

European Union

Frameworks
GDPREU AI Act readiness
Data residency
In-region processing via Warsaw & Istanbul hubs
Contracting
DPA with SCCs; data-residency addendum available

Indicative posture. Final terms are set in your executed agreement and DPA; certifications in progress are marked in the Trust Center.

Security program

Role-based access control, least-privilege provisioning, encrypted data at rest and in transit, centralized logging, and regular access reviews. Security is owned at the operations level, not delegated to a marketplace.

Secure facility controls

Owned hubs operate clean-room project spaces with device policy, network isolation, and physical access controls for sensitive engagements. Because we run the facilities, controls are enforced, not requested.

Confidentiality & IP assignment

All work product and IP assign to the client. Every contributor is bound by confidentiality and IP-assignment terms before touching a project.

Subprocessors

A current subprocessor list is available on request. Clients are notified of material subprocessor changes per the terms of the DPA.

Incident response

Documented incident-response procedures with defined severity levels, escalation paths, and client-notification commitments captured in the DPA.

Data processing agreements

A DPA is available for every engagement; a BAA is available for qualifying healthcare work. Data-retention terms are set per project and documented.

Ethical labor practices & fair pay

Corpshore runs on real employment and fair pay in the communities where we operate, a compliance and ESG asset most data vendors cannot credibly claim. Contributors are employed or contracted on transparent terms, paid fairly for their region, and work in owned in-region hubs. Ethical sourcing is documented and available to enterprise buyers on request.

Need our security documentation?

Request the subprocessor list, DPA/BAA, or security overview and a Corpshore lead will share them under NDA.

Request documents Start a pilot