eEndorsements
Sign In

Compliance posture

Where eEndorsements stands today across the regulations and frameworks our customers care about. We separate what we've implemented ourselves from what we inherit through our infrastructure providers.

Our compliance posture

PCI DSS — SAQ-A scope
Self-attested

Because all card capture, storage, and processing happens on Stripe-hosted checkout pages and the Stripe billing portal, eEndorsements qualifies for the simplest PCI DSS Self-Assessment Questionnaire (SAQ-A). No cardholder data ever traverses our application or infrastructure.

HIPAA — technical safeguards in place
Implemented

Our platform implements the HIPAA Security Rule technical safeguards relevant to a SaaS environment: access control, audit controls, integrity controls, person/entity authentication, and transmission security. For customers subject to HIPAA, Business Associate Agreements with our database, hosting, email, and SMS subprocessors are available — see the Subprocessors page for current BAA status. Healthcare customers should contact us before storing PHI so we can confirm BAA coverage end-to-end.

GDPR & CCPA — data subject rights
Self-attested

We honour data subject access, deletion, and portability requests within 30 days. Send requests to privacy@eendorsements.com. We act as a data processor on behalf of our customers; end-consumer requests should generally be routed through the customer who collected the data.

CAN-SPAM & TCPA — consent tracking
Implemented

Every contact record carries do-not-email and do-not-text flags. Outbound campaigns check consent before each send. STOP, HELP, and unsubscribe events are recorded in the contact_unsubscribes log along with the method (link click, SMS reply, complaint, bounce).

SOC 2
In progress

We have not yet completed an independent SOC 2 audit. Our internal controls are modelled on the SOC 2 Trust Services Criteria, and we operate the technical safeguards a SOC 2 audit would assess.

Inherited from our infrastructure

AWS — SOC 2 Type II, ISO 27001, PCI DSS Level 1
Inherited

All Supabase database storage and Vercel compute runs on AWS, which maintains SOC 2 Type II, ISO 27001, ISO 27017/27018, and PCI DSS Level 1 attestations.

Supabase — SOC 2 Type II, HIPAA-eligible
Inherited

Our database, authentication, and storage layer is provided by Supabase, which holds a SOC 2 Type II report and offers HIPAA Business Associate Agreements on eligible plans.

Vercel — SOC 2 Type II, ISO 27001
Inherited

Application hosting and the edge network are provided by Vercel, which holds SOC 2 Type II and ISO 27001 attestations.

Stripe — PCI DSS Level 1
Inherited

Card data is collected and stored exclusively by Stripe, a PCI DSS Level 1 service provider. eEndorsements never receives, processes, or stores cardholder data.

Need a specific certification report, audit letter, or DPA for your procurement review? See the Subprocessors page for our vendors' public reports, or contact us at security@eendorsements.com.