Security & Compliance

Certifications

• ISO 27001 — held. Re-audit annual.
• SOC 2 Type 2 — audit in progress; certification expected FY28.
• HIPAA-ready — BAA available; safeguards align to the HIPAA Security Rule.
• GDPR — compliant. DPA available; EU SCCs in place.
• NIST SP 800-88 — Reverse Logistics sanitisation aligned to Revision 1.
• NIST AI RMF — AI Copilot aligned to the framework.
• EU AI Act — readiness assessment completed; full conformity assessment scheduled.

Sub-processors

Editable list maintained here. Current sub-processors:

• AWS — infrastructure (US East / EU West)
• Pipedrive — CRM
• SendGrid — transactional email
• Cloudflare — CDN / DDoS protection
• Google Workspace — internal operations

Material changes notified per GDPR Article 28(2).

Vulnerability disclosure

Email security@veroxos.com. PGP key available on request. We commit to acknowledge within 48 hours.