Compliance pack¶

Summary for enterprise security reviews, GDPR due diligence, and sales questionnaires. This is product documentation — not legal advice. Formal agreements are linked below.

Certifications (status)¶

Standard	Status
SOC 2 Type II	Roadmap — controls mapped internally
ISO 27001	Roadmap
GDPR	Product features implemented (see below)

Contact security@accupredix.com for current attestation letters.

Legal documents¶

Document	Version	URL
Privacy Policy	2026-06	accupredix.com/legal/privacy
Data Processing Agreement (DPA)	2026-06	accupredix.com/legal/dpa

DPA acceptance is required for Growth and Agency tiers. Admins accept under Settings → Privacy in the app.

Data processing summary¶

Topic	AccuPredix approach
Controller / Processor	Customer is controller for their order/forecast data; AccuPredix acts as processor
Data location	Selected at org creation (data region); lockable after onboarding
Subprocessors	Listed below; changes notified per DPA
Retention	Configurable upload retention (Growth+); org-level erase available
Encryption in transit	TLS 1.2+ for all public endpoints
Encryption at rest	Database provider encryption; optional PII field encryption (Growth+, SEC-004)
Tenant isolation	Separate PostgreSQL database per customer tenant
Access control	RBAC, API key scoping, optional IP allowlist
Audit	Org audit log; platform operator audit log

Subprocessors (typical)¶

Maintain this list in your customer DPA annex. Verify current vendors for your deployment:

Subprocessor	Purpose	Data processed
Cloud hosting provider	Application and database hosting	All customer tenant data
Stripe	Payment processing	Billing contact, subscription metadata
Email provider (SMTP)	Transactional email	Email address, notification content
Google / Microsoft	Optional OAuth login	Identity tokens (if customer enables)
Shopify / Intuit / Xero	Optional connectors (customer-initiated)	Orders/invoices per connector scope

Customers choose whether to enable OAuth and connectors. Forecast data does not pass through payment processors.

Data subject rights¶

Right	In-app path
Access / portability	Settings → Privacy → Export data
Erasure	Settings → Privacy → Delete organization (owner) or request via support
Rectification	Re-upload corrected data in workspace

Exports include org metadata, membership, audit entries, and privacy acceptance records.

Privacy acceptance¶

Each member accepts the privacy policy version tracked in the database. Admins can view acceptance status per org.

Retention (Growth+)¶

Configure raw upload retention window
Automated purge with audit timestamp retention_last_purge_at

Compliance monitoring (operators)¶

Admin → Compliance dashboard tracks across all orgs:

DPA missing (Growth/Agency without acceptance)
Privacy policy incomplete
Retention disabled where recommended
Region not locked post-onboarding
Recent data exports (30 days)

SSO adoption is tracked on a separate compliance SSO panel.

Security controls summary¶

Control	Reference
Authentication	JWT, optional OAuth, Agency SSO
API security	Hashed API keys, optional IP allowlist
Connector secrets	AES-256-GCM at rest when key configured
Vulnerability disclosure	Programme
Session timeout	Configurable per org; platform default in Admin settings
Suspension	Operator can suspend abusive orgs immediately

Data Processing Agreement workflow¶

Customer upgrades to Growth or Agency.
Admin opens Settings → Privacy.
Admin downloads DPA from linked URL.
Admin accepts DPA in app (version recorded with timestamp and user).
Operator verifies in Admin → Compliance if needed.

Incident response¶

Security reports: security@accupredix.com
Target acknowledgement: 48 business hours
Customer notification per DPA if personal data breach confirmed

Questionnaire support¶

For vendor security questionnaires (SIG, CAIQ, custom Excel):

Provide this compliance pack and Security overview
Request filled questionnaire via your account executive or security@accupredix.com
Architecture and database documentation available under NDA for enterprise reviews