Our Compliance Commitment
CompanionFrame API is committed to operating in compliance with applicable data protection and privacy regulations. As a growing platform, we implement comprehensive compliance measures and continuously improve our practices to meet evolving regulatory requirements.
Compliance Principles
Our compliance approach is built on:
- ✅ Privacy by design - Data protection built into our platform architecture
- ✅ Transparency - Clear policies and practices for data handling
- ✅ User rights - Comprehensive support for data subject rights
- ✅ Continuous improvement - Regular review and enhancement of compliance measures
- ✅ Legal expertise - Working with legal professionals to ensure compliance
Data Protection Compliance
GDPR Compliant
Full compliance with EU General Data Protection Regulation
UK GDPR
Compliant with UK data protection laws and regulations
Cookie Law
EU Cookie Law and ePrivacy Directive compliance
CCPA Ready
California Consumer Privacy Act readiness for US customers
GDPR Compliance Framework
📋 Data Processing Legal Bases
We process personal data under clear legal bases as required by GDPR:
- Contract performance: API service delivery, account management, billing
- Legitimate interests: Service improvement, security monitoring, fraud prevention
- Consent: Marketing communications, optional analytics
- Legal obligation: Tax records, regulatory reporting, law enforcement cooperation
🔒 Data Subject Rights Implementation
We provide comprehensive support for all GDPR data subject rights:
- Right of access: Request copies of all personal data we hold
- Right to rectification: Correct inaccurate or incomplete data
- Right to erasure: Delete personal data ("right to be forgotten")
- Right to restrict processing: Limit data processing in specific circumstances
- Right to data portability: Receive data in machine-readable format
- Right to object: Object to processing based on legitimate interests
How to exercise rights: Contact privacy@companionframe-api.com or use your dashboard settings
UK Data Protection Compliance
- UK GDPR: Full compliance with UK's post-Brexit data protection framework
- Data Protection Act 2018: Compliance with UK-specific data protection requirements
- ICO guidance: Following Information Commissioner's Office guidelines and best practices
- UK establishment: CompanionFrame Limited registered in England and Wales
Industry and Technical Standards
Current Compliance Status
✅ Implemented Standards
- Data encryption: AES-256-GCM for data at rest, TLS 1.3 for data in transit
- Access controls: Role-based access with secure authentication
- Data retention: Clear retention policies and automated deletion procedures
- Privacy by design: Data protection built into our platform architecture
- Incident response: Documented procedures for security incident handling
Compliance Roadmap
Growing Platform Notice
As CompanionFrame API grows, we're working toward additional compliance frameworks:
- ISO 27001: Information security management system (planned for 2025)
- SOC 2 Type I: Service organization controls (under evaluation)
- HIPAA readiness: Healthcare data protection capabilities (roadmap)
- Regional compliance: Additional jurisdictions as we expand internationally
Timeline: Formal certifications planned as we scale and establish dedicated compliance resources.
Mental Health Data Protection
Sensitive Data Handling
We recognize that emotional support conversations contain highly sensitive personal information and implement enhanced protection measures:
- End-to-end encryption: Conversations encrypted before storage and unreadable to our systems
- Purpose limitation: Data used only for AI response generation and service provision
- Data minimization: We collect and process only data necessary for service delivery
- Access restrictions: Strict access controls prevent unauthorized data access
- Retention limits: Customer-controlled data retention with secure deletion options
Professional Standards
- Ethical AI use: Responsible AI practices for mental health applications
- Crisis detection: Automated detection with professional resource provision
- Professional disclaimers: Clear limitations about AI not replacing professional care
- Resource provision: Comprehensive crisis support and professional help resources
Mental Health Compliance
While we're not a healthcare provider, we implement practices that support healthcare compliance:
- Technical safeguards: Encryption, access controls, audit logs
- Administrative safeguards: Data handling policies, staff training
- Physical safeguards: Secure cloud infrastructure with enterprise providers
- Business associate readiness: Framework for healthcare customer partnerships
Third-Party Compliance
Vendor Security and Compliance
We carefully evaluate the compliance posture of all third-party services we use:
🤝 Service Provider Compliance
- MongoDB Atlas: SOC 2, ISO 27001, GDPR compliant cloud database
- Vercel: SOC 2, GDPR compliant serverless hosting platform
- OpenAI: Enterprise-grade AI processing with data protection agreements
- Stripe: PCI DSS, SOC 1 & 2 compliant payment processing
- Resend: GDPR compliant email delivery service
Data Processing Agreements
- Comprehensive DPAs: Data processing agreements with all major service providers
- Standard Contractual Clauses: Appropriate safeguards for international data transfers
- Regular review: Periodic assessment of vendor compliance and agreement updates
- Customer transparency: Information about third-party processing available in our Privacy Policy
International Compliance
Cross-Border Data Transfers
- Adequate safeguards: Standard Contractual Clauses for transfers to non-EU countries
- Data localization: EU/UK data residency options available through MongoDB Atlas
- Transfer documentation: Clear documentation of all international data transfers
- Impact assessments: Evaluation of data protection risks for international transfers
Regional Compliance Considerations
- United States: CCPA readiness for California customers, sector-specific compliance planning
- Canada: PIPEDA consideration for Canadian business customers
- Australia: Privacy Act 1988 awareness for Australian market expansion
- Other jurisdictions: Compliance assessment before entering new markets
Business Customer Compliance Support
Customer Due Diligence
We support our business customers' compliance needs through:
- Security documentation: Detailed information about our security and data protection measures
- Compliance questionnaires: Responses to standard security and compliance questionnaires
- Data processing information: Clear documentation of how we process customer and end-user data
- Legal framework support: Information to support customer legal and compliance reviews
Enterprise Customer Support
- Custom agreements: Flexible terms for enterprise customers with specific compliance requirements
- Enhanced documentation: Additional compliance documentation for large customers
- Compliance consultation: Basic guidance on implementing our API in compliance-sensitive environments
- Regular updates: Notification of compliance-related changes and improvements
Customer Compliance Responsibility
Important: While we provide a compliant platform, customers are responsible for ensuring their own compliance with applicable laws and regulations in their specific jurisdictions and use cases. We recommend consulting with legal professionals for compliance advice specific to your implementation.
Compliance Monitoring and Improvement
Ongoing Compliance Management
- Regular policy review: Periodic review and update of all privacy and compliance policies
- Legal updates monitoring: Tracking changes in applicable data protection and privacy laws
- Best practice implementation: Adoption of industry best practices as they evolve
- Customer feedback: Incorporating customer compliance needs into our development roadmap
Incident Management
- Breach response: Documented procedures for data breach detection, assessment, and response
- Regulatory notification: Timely notification to supervisory authorities when required
- Customer communication: Transparent communication with affected customers during incidents
- Remediation: Comprehensive incident remediation and prevention measures
Audit and Documentation
Documentation and Records
- Data processing records: Comprehensive documentation of all data processing activities
- Policy documentation: Current versions of all privacy and compliance policies
- Training records: Documentation of staff privacy and security training
- Incident logs: Records of security incidents and compliance events
Audit Readiness
- Documentation availability: Compliance documentation readily available for customer audits
- Process transparency: Clear explanation of our data handling and security processes
- Evidence provision: Supporting evidence for compliance claims and certifications
- Improvement tracking: Documentation of compliance improvements and remediation efforts
Enterprise Audit Support
For enterprise customers requiring detailed compliance information:
- Security questionnaires: We can complete standard security and compliance questionnaires
- Documentation packages: Comprehensive compliance documentation available
- Compliance calls: Available for compliance discussion calls with enterprise prospects
- Custom agreements: Tailored compliance terms for large customer requirements
Regulatory Engagement
Supervisory Authority Relations
- UK ICO: Registered with Information Commissioner's Office as required
- Guidance compliance: Following ICO guidance on AI, cookies, and data protection
- Regulatory communication: Established procedures for regulatory correspondence
- Proactive compliance: Staying informed about regulatory developments and guidance
Industry Engagement
- Best practice monitoring: Following industry developments in AI and data protection
- Professional networks: Engagement with privacy and compliance professional communities
- Standard development: Monitoring development of new industry standards and frameworks
- Peer learning: Learning from other platforms and compliance practices
Customer Compliance Resources
Available Documentation
- Privacy Policy: Comprehensive data processing and privacy information
- Terms of Service: Legal terms and customer obligations
- Cookie Policy: Detailed cookie usage and consent management
- Security documentation: Technical security measures and infrastructure details
- Data retention schedule: Clear information about data retention and deletion
Implementation Guidance
- API integration best practices: Security and privacy recommendations for API implementation
- End-user considerations: Guidance on end-user consent and privacy requirements
- Crisis response: Recommendations for handling crisis detection in customer applications
- Data handling guidelines: Best practices for processing conversation data through our API
Compliance Questions and Support
For compliance-related questions, documentation requests, or concerns about our regulatory practices:
Compliance Contact
- Privacy Officer: privacy@companionframe-api.com
- General Support: support@companionframe-api.com
- Enterprise Inquiries: support@companionframe-api.com
Documentation Requests
- Security questionnaires: We can complete standard compliance questionnaires
- DPA requests: Data processing agreements available for enterprise customers
- Audit documentation: Compliance documentation packages for customer audits
CompanionFrame Limited
Registered in England and Wales
United Kingdom
Compliance response commitment: We respond to compliance inquiries within 3-5 business days and prioritize enterprise customer compliance needs.