Compliance

Plain-English summary of where PassCryp stands on every major compliance regime: GDPR, CCPA, DPA availability, SOC2 roadmap, and what we do not yet support (HIPAA BAAs, FedRAMP, ISO 27001). No marketing fog.

Start your free vault Security model

GDPR ready

DPA available on Premium and Pro. EU data residency on Pro. Standard Contractual Clauses for cross-border transfer.

CCPA compliant

California Consumer Privacy Act controls in place: data access, deletion, do-not-sell. Privacy policy reflects current CCPA requirements.

SOC2 Type II — scheduled 2026

Control set implemented; formal audit window opens Q4 2026 with Type II report targeted for 2027.

Not yet supported

HIPAA BAAs (Pro on request), FedRAMP, ISO 27001. If you require these today, choose an enterprise-positioned manager.

Sub-processors with DPAs

Every sub-processor has a signed DPA with PassCryp. List published with regions and processing purposes.

GDPR posture in detail

PassCryp is GDPR-ready: lawful basis for processing is contract performance (delivering the service you signed up for), data minimization is enforced by zero-knowledge architecture (we cannot collect data we cannot decrypt), and data subject rights (access, rectification, erasure, portability) are implemented in the product.

EU customers on Pro get EU data residency: vault ciphertext is stored in EU regions only, with Standard Contractual Clauses for any cross-border processing (e.g., support tickets routed to a US time zone). The DPA available with Premium and Pro covers Article 28 processor obligations in standard language.

CCPA and other US state laws

California (CCPA, CPRA): full data access, deletion, do-not-sell, and limit-use-of-sensitive-data rights implemented in account settings.

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA): equivalent rights honored under the same controls. We treat the strictest applicable law as the baseline for all US customers.

Children's privacy: PassCryp is not intended for users under 13. We do not knowingly collect data from children under 13; accounts identified as such are terminated and data deleted.

What we genuinely don't support yet

HIPAA: BAAs available on Pro on a case-by-case basis after a security review. Not appropriate for primary PHI storage; appropriate for credentials that grant access to HIPAA-regulated systems.

FedRAMP: not on the roadmap. FedRAMP is a multi-year, multi-million-dollar undertaking that doesn't fit a sub-50-seat tool.

ISO 27001: not on the immediate roadmap. Our SOC2 Type II work overlaps significantly; we may pursue ISO 27001 after SOC2 ships.

Frequently asked questions

Are you GDPR compliant?

Yes. DPA available on Premium and Pro, EU data residency on Pro, Standard Contractual Clauses for cross-border transfer.

Can I get a copy of your DPA?

Yes — download from the DPA page or request a signed copy from compliance@passcryp.com.

Are you SOC2 certified?

Type II audit scheduled for late 2026. Control set is in place today; bridge letters available on request.

Do you offer HIPAA BAAs?

Available on Pro on a case-by-case basis after a security review. Suitable for credentials, not for primary PHI storage.

Where is my data hosted?

Supabase-managed Postgres on AWS. EU and US regions; EU data residency on Pro.

How long do you retain my data?

Active vault data: for as long as your account is active. After account deletion: 30 days for backups, then purged. Logs: 90 days.

Ready to take control of your secrets?

Start a free zero-knowledge vault in under 60 seconds.

Start your free vault