Trust · Compliance
Compliance posture.
Last updated · 15 May 2026Plain English
We are GDPR-aligned by design and our customer data lives in the European Union. We are notSOC 2, ISO 27001, or HIPAA certified today. If those certifications are a hard requirement for your procurement, tell us — we'd rather know early than waste your time.
What we are today
| Standard | Status | Notes |
|---|---|---|
| GDPR (EU 2016/679) | Aligned | EU data residency by default; signable DPA; SCCs for transfers; data subject rights workflow. |
| UK GDPR | Aligned | Same controls; UK addendum to SCCs available on request. |
| EU Data Act (2023/2854) | In scope, monitoring | We follow EU Commission guidance as it issues. |
| EU AI Act (2024/1689) | Monitoring | We are not a high-risk-system provider as defined by the Act for the surfaces customers deploy. We continue to monitor obligations under Articles 50 and following. |
What we are not, today
We do not currently hold any of the certifications below. If you require one of them, MLtitude may not yet meet your procurement bar — talk to us before sign-off.
| Standard | Status | Why honest |
|---|---|---|
| SOC 2 Type I / II | Not certified | We're a small team with light controls; a SOC 2 audit would not yet be defensible. We will publish a roadmap if and when one is funded. |
| ISO 27001 | Not certified | Same as above. |
| ISO 42001 (AI management) | Not certified | Newer standard; we are reading it but not pursuing certification on a published timeline. |
| HIPAA / BAA | Not offered | MLtitude is not a HIPAA Business Associate. Do not put PHI into the Service. |
| FedRAMP | Not in scope | No US-government tenancy; no plans. |
| PCI DSS | Not applicable | We don't store cardholder data. Payment processing is delegated to Stripe. |
What is in place that compensates
- EU data residency by default. Customer content stays on EU infrastructure (Hetzner, Germany).
- Documented sub-processor list with 30-day change notice — see sub-processors.
- Signable DPA incorporating Standard Contractual Clauses — see DPA.
- Encryption in transit (TLS 1.2+) and at rest at the storage layer (AES-256).
- No training of any model on customer content — see Data & model governance.
- Audit logs for significant user actions, retained for the life of the account.
- Vulnerability reporting channel with stated response times — see responsible disclosure.
- Incident notification within 72 hours of confirmation, per the DPA and GDPR Article 33.
Roadmap
We don't publish certification timelines we can't commit to. If we begin a SOC 2 or ISO 27001 engagement, we will say so on this page with the auditor's name and the expected report window.
Customer-side compliance considerations
- MLtitude is not a substitute for your own privacy notices to learners. Inform your trainees and other end users that you operate MLtitude on their behalf.
- For special-category personal data (Article 9 GDPR — health, biometrics, etc.), confirm with us that the lawful basis and the configuration are appropriate before uploading. Default configuration is not designed for special categories.
- If your sector has specific obligations (e.g. financial-services records retention, MAS Notice 658 for Singapore, FCA SYSC 9 for UK), the obligation rests with you — we can usually accommodate, but we do not warrant retention beyond our default unless agreed in writing.
Vendor questionnaires
Most of what your vendor-risk team puts in a spreadsheet is already answered on our pre-filled questionnaire at /trust/security-questionnaire (modelled on SIG Lite). If your team needs a specific format (CAIQ, SIG, custom), send the form to info@edothsoft.com and we'll return it within ten business days. If you need it faster, say so; we will work to your deadline where possible.
Audit and right to inspect
On commercial agreements, customers may request audit information as set out in the DPA, Section 7. We do not offer on-site audits at present. Where a remote audit is appropriate, we will provide responses, sub-processor evidence, and policies under NDA.