This page is an evaluator-facing summary. The authoritative, full-text Trust and Security Overview lives at getsmartalex.com/legal/smartalex-trust-and-security. Where this summary and the full document differ, the full document is the authoritative version and prevails.
Our certification status
Our compliance posture is in active development. We do not currently hold our own SOC 2 or ISO 27001 attestation, and we never imply that we do. We are working towards SOC 2 Type II readiness. It is important to separate two things that are often conflated in vendor reviews.- Our own attestations. SmartAlex has none yet. SOC 2 Type II readiness is in progress.
- Our providers’ attestations. The cloud infrastructure we build on is operated by providers that already maintain SOC 2 and ISO 27001 attestations. Those reports belong to those providers, not to us.
We reference our providers’ SOC 2 and ISO 27001 reports only as evidence of the infrastructure our platform runs on. A provider’s report is not a SmartAlex attestation, and we do not present it as one. Our current status and any updated certifications are available from security@getsmartalex.com.
Data-protection regimes we align to
We design and operate the platform to support our customers’ compliance with the data-protection laws that apply across the regions we serve. Our processing commitments are set out in full in our Data Processing Addendum and the regional notices below.Regional privacy notices
Each notice below is the dedicated, authoritative document for that regime.GDPR Article 13 notice
Transparency information for EU, EEA, and UK data subjects.
POPIA notice
Processing information for South African data subjects.
California privacy notice
CCPA and CPRA disclosures for California residents.
Data subject request procedure
How individuals exercise their rights, and how we respond.
Data Protection Impact Assessment
Our Article 35 accountability assessment of the voice and AI pipeline.
Data subject rights and DSAR
Individuals can exercise access, correction, deletion, restriction, objection, and portability. Where we process data on a customer’s behalf as a Processor, we refer the request to that customer as the Controller and assist them in responding. Where we act as a Controller, we handle the request directly. We verify identity before fulfilling a request and respond within 30 days, or sooner where the law requires, extending only where the law permits for complex requests and telling the requester why. A data subject’s statutory right to complain to a supervisory authority is never routed into arbitration and is not affected by any commercial dispute-resolution clause. The controlling procedure is our Data subject request procedure. Requests can be sent to privacy@getsmartalex.com.HIPAA posture
Our compliance materials do not represent SmartAlex as HIPAA-compliant, and HIPAA is not among the data-protection regimes the platform is currently designed around. We make no HIPAA certification claim. Customers with United States healthcare data requirements should contact our security team before processing protected health information.
Independent testing and vulnerability management
Dependency-vulnerability scanning, secret-scanning, and static analysis run continuously as part of our development lifecycle. Independent penetration tests are conducted periodically and before major releases, and remediation is tracked to closure. We triage reported and discovered vulnerabilities by severity, with critical issues prioritised for prompt fixing, and we operate a public route for good-faith researchers through our Vulnerability Disclosure Policy. Summary penetration-test results are available to qualified customers and prospects under non-disclosure on request to security@getsmartalex.com.Assurance materials available under NDA
The following are shared with qualified customers and prospects on request, under non-disclosure.1
Request access
Email security@getsmartalex.com from a corporate address, with your organisation and the review you are running.
2
Sign an NDA
We share the materials below once a non-disclosure agreement is in place.
3
Receive the package
You receive the assurance materials relevant to your assessment.
Data Protection Impact Assessment (DPIA)
Data Protection Impact Assessment (DPIA)
Our Article 35 assessment of the voice and AI pipeline, including data flows, lawful bases, transfer safeguards, and the residual-risk evaluation. A summary is also published at the DPIA notice.
Vendor risk materials
Vendor risk materials
Our supporting vendor risk materials, including the vendor risk register that records the review of every third party that touches customer data.
Sub-processor assurance
Sub-processor assurance
Sub-processor security questionnaires and our infrastructure providers’ SOC 2 and ISO 27001 reports.
Penetration tests and recovery objectives
Penetration tests and recovery objectives
Summary penetration-test results and our recovery-time and recovery-point objectives.
Contact
Security and due diligence
Security questions, assurance materials under NDA, and current certification status.
Privacy and data subject requests
Privacy questions and requests to exercise data subject rights.

