Security, compliance, and data sovereignty
Every statistic and control here is written to survive an enterprise procurement audit. Where a certification is in progress, we say so, credibility is the product.
Certifications & frameworks
We state only what we hold. Items in progress carry an honest status and target, never claimed as complete.
SOC 2 Type II
ActiveSOC 2 Type II controls in place; report available under NDA.
ISO 27001
ActiveInformation-security management system certified to ISO/IEC 27001.
GDPR
AlignedAligned to the EU General Data Protection Regulation; DPA available for every engagement.
EU AI Act
AlignedAligned to the EU AI Act's provider obligations and data-governance requirements.
CCPA / CPRA (US)
AlignedAligned to California privacy law and applicable US state privacy statutes.
PIPEDA / Law 25 (Canada)
AlignedAligned to Canada's PIPEDA and Quebec's Law 25 for personal information.
Privacy Act / APPs (Australia)
AlignedAligned to the Australian Privacy Act 1988 and the Australian Privacy Principles.
HIPAA
Available on requestBAA available for qualifying healthcare engagements.
Data residency & sovereignty per hub
Data can be processed in-region to meet residency and sovereignty requirements. Each hub carries its own compliance posture.
| Hub | Region | Compliance posture | Timezone |
|---|---|---|---|
| Tashkent | Central Asia | GDPR-aligned DPA | UTC+5 |
| Samarkand | Central Asia | GDPR-aligned DPA | UTC+5 |
| Manila | Southeast Asia | SOC 2 Type II, ISO 27001, GDPR | UTC+8 |
| Ho Chi Minh City | Southeast Asia | GDPR-aligned DPA | UTC+7 |
| Accra | West Africa | GDPR-aligned DPA | UTC+0 |
| Kampala | East Africa | GDPR-aligned DPA | UTC+3 |
| Istanbul | Europe / MENA | GDPR, EU AI Act readiness | UTC+3 |
| Warsaw | Europe | GDPR, EU AI Act readiness | UTC+1 |
| Lahore | South Asia | GDPR-aligned DPA | UTC+5 |
| Nairobi | East Africa | GDPR-aligned DPA | UTC+3 |
| Santo Domingo | Latin America | GDPR-aligned DPA | UTC-4 |
| United States | North America | SOC 2 Type II, CCPA/CPRA | UTC-5 to UTC-8 |
| Canada | North America | SOC 2 Type II, PIPEDA, Law 25 | UTC-4 to UTC-8 |
| Mexico | Latin America | GDPR-aligned DPA | UTC-6 |
| United Kingdom | Europe | UK GDPR, GDPR | UTC+0 to UTC+1 |
| Australia | Oceania | Australian Privacy Act, APPs | UTC+10 to UTC+11 |
Compliance by jurisdiction
Select a jurisdiction to see the frameworks, data residency, and contracting posture that apply.
European Union
Indicative posture. Final terms are set in your executed agreement and DPA; certifications in progress are marked in the Trust Center.
Security program
Role-based access control, least-privilege provisioning, encrypted data at rest and in transit, centralized logging, and regular access reviews. Security is owned at the operations level, not delegated to a marketplace.
Secure facility controls
Owned hubs operate clean-room project spaces with device policy, network isolation, and physical access controls for sensitive engagements. Because we run the facilities, controls are enforced, not requested.
Confidentiality & IP assignment
All work product and IP assign to the client. Every contributor is bound by confidentiality and IP-assignment terms before touching a project.
Subprocessors
A current subprocessor list is available on request. Clients are notified of material subprocessor changes per the terms of the DPA.
Incident response
Documented incident-response procedures with defined severity levels, escalation paths, and client-notification commitments captured in the DPA.
Data processing agreements
A DPA is available for every engagement; a BAA is available for qualifying healthcare work. Data-retention terms are set per project and documented.
Ethical labor practices & fair pay
Corpshore runs on real employment and fair pay in the communities where we operate, a compliance and ESG asset most data vendors cannot credibly claim. Contributors are employed or contracted on transparent terms, paid fairly for their region, and work in owned in-region hubs. Ethical sourcing is documented and available to enterprise buyers on request.
Need our security documentation?
Request the subprocessor list, DPA/BAA, or security overview and a Corpshore lead will share them under NDA.