Last Audit: October 2024 | Next Audit: April 2025
At Clayva, we take compliance and data protection seriously. This page outlines our compliance certifications, standards we adhere to, and our commitment to protecting your data in accordance with global regulations.
Compliance Overview
Clayva maintains a comprehensive compliance program that encompasses multiple frameworks and standards to ensure the highest level of data protection and security for our customers worldwide. Our compliance team continuously monitors regulatory changes and updates our practices accordingly.
Certifications & Standards
SOC 2 Type II
Clayva has successfully completed a SOC 2 Type II audit, demonstrating our commitment to security, availability, processing integrity, confidentiality, and privacy. Our SOC 2 report is available upon request for enterprise customers.
- Audit Period: January 1, 2024 - October 31, 2024
- Auditor: Ernst & Young LLP
- Trust Service Principles: Security, Availability, Processing Integrity, Confidentiality, Privacy
- Report Available: Upon execution of NDA
ISO 27001:2013
We are certified under ISO 27001:2013, the international standard for information security management systems (ISMS). This certification validates our systematic approach to managing sensitive company and customer information.
- Certificate Number: IS 756234
- Certification Body: BSI Group
- Valid Until: December 31, 2025
- Scope: Analytics platform services and data processing
GDPR Compliance
As a data processor and controller, Clayva fully complies with the General Data Protection Regulation (GDPR) for our European Union customers.
- Appointed Data Protection Officer (DPO)
- Privacy by Design implementation
- Data Processing Agreements (DPA) available
- Regular Data Protection Impact Assessments (DPIA)
- Documented data retention and deletion policies
- Support for data subject rights (access, rectification, erasure, portability)
- Breach notification procedures (within 72 hours)
CCPA Compliance
Clayva complies with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), providing California residents with required privacy rights and protections.
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt-out of the sale of personal information
- Right to non-discrimination
- Right to correct inaccurate personal information
- Right to limit use of sensitive personal information
HIPAA Compliance
For healthcare organizations, Clayva can operate in a HIPAA-compliant manner with appropriate safeguards and agreements in place.
- Administrative safeguards implementation
- Physical safeguards for data centers
- Technical safeguards including encryption and access controls
- BAA execution with covered entities
- Employee HIPAA training program
- Incident response procedures for PHI
PCI DSS
While Clayva does not directly process payment card data, we maintain PCI DSS compliance for our payment processing partners and ensure secure handling of any payment-related information.
- Level 1 Service Provider compliance through partners
- Tokenization of payment information
- No storage of card verification codes
- Regular security scanning and testing
Data Residency
Clayva offers flexible data residency options to meet your geographic and regulatory requirements:
| Region | Data Center Locations | Compliance Standards | Availability |
|---|---|---|---|
| United States | Virginia, Oregon, California | SOC 2, CCPA, HIPAA | ✅ Available |
| European Union | Frankfurt, Ireland, Paris | GDPR, ISO 27001 | ✅ Available |
| United Kingdom | London | UK GDPR, ISO 27001 | ✅ Available |
| Canada | Montreal, Toronto | PIPEDA, SOC 2 | ✅ Available |
| Asia Pacific | Singapore, Sydney, Tokyo | PDPA, ISO 27001 | ✅ Available |
| Middle East | UAE | Local regulations | 🔄 Coming Q2 2025 |
Audit & Compliance Logs
Clayva maintains comprehensive audit logs for all data access and administrative actions:
- User Activity Logs: All user actions including login, data access, and configuration changes
- Administrative Logs: System administrator activities and privilege escalations
- API Access Logs: All API calls with timestamps and parameters
- Security Event Logs: Failed authentication attempts, permission denials
- Data Export Logs: Records of all data exports and downloads
- Retention Period: Minimum 2 years for compliance purposes
Data Processing Agreements
We offer standard Data Processing Agreements (DPAs) that comply with GDPR Article 28 requirements:
Our DPA includes:
- Clear definition of processing scope and purposes
- Technical and organizational security measures
- Subprocessor authorization and notification procedures
- Data subject rights assistance
- Audit and inspection rights
- Data return and deletion obligations
- Standard Contractual Clauses (SCCs) for international transfers
Subprocessors
We work with carefully selected subprocessors to provide our services. All subprocessors are bound by data protection agreements and undergo regular security assessments.
| Subprocessor | Purpose | Location | Certifications |
|---|---|---|---|
| Amazon Web Services | Infrastructure hosting | United States | SOC 2, ISO 27001 |
| Google Cloud Platform | Data processing | United States | SOC 2, ISO 27001 |
| Stripe | Payment processing | United States | PCI DSS Level 1 |
| SendGrid | Email delivery | United States | SOC 2 Type II |
| Datadog | Infrastructure monitoring | United States | SOC 2 Type II |
| Auth0 | Authentication services | United States | SOC 2, ISO 27001 |
Notification of Changes: We provide 30 days advance notice for any additions or changes to our subprocessor list via email to the primary account contact.
Incident Response
Our incident response plan ensures rapid detection, containment, and resolution of security incidents:
Compliance Contacts
Data Protection Officer
John Smith
dpo@clayva.com
+1 (415) 555-0100
Compliance Team
General Inquiries
compliance@clayva.com
+1 (415) 555-0101
Security Team
Security Reports
security@clayva.com
24/7 Hotline: +1 (415) 555-0911
Resources & Documentation
Access our compliance documentation and resources:
| Feature |
|---|