Skip to main content
This page is an evaluator-facing summary. The authoritative, full-text Trust and Security Overview lives at getsmartalex.com/legal/smartalex-trust-and-security. Where this summary and the full document differ, the full document is the authoritative version and prevails.
SmartAlex is operated by THERCSGROUP PTE. LTD., a Singapore company. This page states our current, accurate compliance posture for security, privacy, and procurement teams. It covers what we hold today, the data-protection regimes we align to, our HIPAA position, and the assurance materials we make available under NDA.

Our certification status

Our compliance posture is in active development. We do not currently hold our own SOC 2 or ISO 27001 attestation, and we never imply that we do. We are working towards SOC 2 Type II readiness. It is important to separate two things that are often conflated in vendor reviews.
  1. Our own attestations. SmartAlex has none yet. SOC 2 Type II readiness is in progress.
  2. Our providers’ attestations. The cloud infrastructure we build on is operated by providers that already maintain SOC 2 and ISO 27001 attestations. Those reports belong to those providers, not to us.
We reference our providers’ SOC 2 and ISO 27001 reports only as evidence of the infrastructure our platform runs on. A provider’s report is not a SmartAlex attestation, and we do not present it as one. Our current status and any updated certifications are available from security@getsmartalex.com.

Data-protection regimes we align to

We design and operate the platform to support our customers’ compliance with the data-protection laws that apply across the regions we serve. Our processing commitments are set out in full in our Data Processing Addendum and the regional notices below.

Regional privacy notices

Each notice below is the dedicated, authoritative document for that regime.

GDPR Article 13 notice

Transparency information for EU, EEA, and UK data subjects.

POPIA notice

Processing information for South African data subjects.

California privacy notice

CCPA and CPRA disclosures for California residents.

Data subject request procedure

How individuals exercise their rights, and how we respond.

Data Protection Impact Assessment

Our Article 35 accountability assessment of the voice and AI pipeline.

Data subject rights and DSAR

Individuals can exercise access, correction, deletion, restriction, objection, and portability. Where we process data on a customer’s behalf as a Processor, we refer the request to that customer as the Controller and assist them in responding. Where we act as a Controller, we handle the request directly. We verify identity before fulfilling a request and respond within 30 days, or sooner where the law requires, extending only where the law permits for complex requests and telling the requester why. A data subject’s statutory right to complain to a supervisory authority is never routed into arbitration and is not affected by any commercial dispute-resolution clause. The controlling procedure is our Data subject request procedure. Requests can be sent to privacy@getsmartalex.com.

HIPAA posture

Our compliance materials do not represent SmartAlex as HIPAA-compliant, and HIPAA is not among the data-protection regimes the platform is currently designed around. We make no HIPAA certification claim. Customers with United States healthcare data requirements should contact our security team before processing protected health information.

Independent testing and vulnerability management

Dependency-vulnerability scanning, secret-scanning, and static analysis run continuously as part of our development lifecycle. Independent penetration tests are conducted periodically and before major releases, and remediation is tracked to closure. We triage reported and discovered vulnerabilities by severity, with critical issues prioritised for prompt fixing, and we operate a public route for good-faith researchers through our Vulnerability Disclosure Policy. Summary penetration-test results are available to qualified customers and prospects under non-disclosure on request to security@getsmartalex.com.

Assurance materials available under NDA

The following are shared with qualified customers and prospects on request, under non-disclosure.
1

Request access

Email security@getsmartalex.com from a corporate address, with your organisation and the review you are running.
2

Sign an NDA

We share the materials below once a non-disclosure agreement is in place.
3

Receive the package

You receive the assurance materials relevant to your assessment.
Our Article 35 assessment of the voice and AI pipeline, including data flows, lawful bases, transfer safeguards, and the residual-risk evaluation. A summary is also published at the DPIA notice.
Our supporting vendor risk materials, including the vendor risk register that records the review of every third party that touches customer data.
Sub-processor security questionnaires and our infrastructure providers’ SOC 2 and ISO 27001 reports.
Summary penetration-test results and our recovery-time and recovery-point objectives.

Contact

Security and due diligence

Security questions, assurance materials under NDA, and current certification status.

Privacy and data subject requests

Privacy questions and requests to exercise data subject rights.
For the complete and authoritative statement, read the full Trust and Security Overview. It is the version that prevails.