> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getsmartalex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance & certifications

> Our current SOC 2 and ISO 27001 status, the privacy regimes we align to, our HIPAA posture, and the assurance reports available to enterprise buyers under NDA.

<Info>
  This page is an evaluator-facing summary. The authoritative, full-text Trust and Security Overview lives at [getsmartalex.com/legal/smartalex-trust-and-security](https://getsmartalex.com/legal/smartalex-trust-and-security). Where this summary and the full document differ, the full document is the authoritative version and prevails.
</Info>

SmartAlex is operated by THERCSGROUP PTE. LTD., a Singapore company. This page states our current, accurate compliance posture for security, privacy, and procurement teams. It covers what we hold today, the data-protection regimes we align to, our HIPAA position, and the assurance materials we make available under NDA.

## Our certification status

Our compliance posture is in active development. We do not currently hold our own SOC 2 or ISO 27001 attestation, and we never imply that we do. We are working towards SOC 2 Type II readiness.

It is important to separate two things that are often conflated in vendor reviews.

1. **Our own attestations.** SmartAlex has none yet. SOC 2 Type II readiness is in progress.
2. **Our providers' attestations.** The cloud infrastructure we build on is operated by providers that already maintain SOC 2 and ISO 27001 attestations. Those reports belong to those providers, not to us.

| Attestation | SmartAlex (our own)                                   | Underlying infrastructure providers |
| ----------- | ----------------------------------------------------- | ----------------------------------- |
| SOC 2       | In progress. Working towards SOC 2 Type II readiness. | Maintained                          |
| ISO 27001   | Not held                                              | Maintained                          |

<Note>
  We reference our providers' SOC 2 and ISO 27001 reports only as evidence of the infrastructure our platform runs on. A provider's report is not a SmartAlex attestation, and we do not present it as one. Our current status and any updated certifications are available from [security@getsmartalex.com](mailto:security@getsmartalex.com).
</Note>

## Data-protection regimes we align to

We design and operate the platform to support our customers' compliance with the data-protection laws that apply across the regions we serve. Our processing commitments are set out in full in our Data Processing Addendum and the regional notices below.

| Regime                               | Region                    | Coverage                                                                    |
| ------------------------------------ | ------------------------- | --------------------------------------------------------------------------- |
| GDPR                                 | EU and EEA                | Aligned. See the Article 13 notice below.                                   |
| UK GDPR and Data Protection Act 2018 | United Kingdom            | Aligned. See the Article 13 notice below.                                   |
| PDPA                                 | Singapore                 | Covered. Transfer safeguards met through comparable contractual protection. |
| FADP                                 | Switzerland               | Covered. Swiss transfer addendum applied to Swiss-origin data.              |
| POPIA                                | South Africa              | Aligned. See the POPIA notice below.                                        |
| CCPA and CPRA                        | California, United States | Aligned. See the California privacy notice below.                           |

## Regional privacy notices

Each notice below is the dedicated, authoritative document for that regime.

<CardGroup cols={2}>
  <Card title="GDPR Article 13 notice" href="https://getsmartalex.com/legal/smartalex-gdpr-article-13-notice">
    Transparency information for EU, EEA, and UK data subjects.
  </Card>

  <Card title="POPIA notice" href="https://getsmartalex.com/legal/smartalex-popia-notice">
    Processing information for South African data subjects.
  </Card>

  <Card title="California privacy notice" href="https://getsmartalex.com/legal/smartalex-california-privacy-notice">
    CCPA and CPRA disclosures for California residents.
  </Card>

  <Card title="Data subject request procedure" href="https://getsmartalex.com/legal/smartalex-dsar-procedure">
    How individuals exercise their rights, and how we respond.
  </Card>

  <Card title="Data Protection Impact Assessment" href="https://getsmartalex.com/legal/smartalex-data-protection-impact-assessment-dpia">
    Our Article 35 accountability assessment of the voice and AI pipeline.
  </Card>
</CardGroup>

## Data subject rights and DSAR

Individuals can exercise access, correction, deletion, restriction, objection, and portability. Where we process data on a customer's behalf as a Processor, we refer the request to that customer as the Controller and assist them in responding. Where we act as a Controller, we handle the request directly. We verify identity before fulfilling a request and respond within 30 days, or sooner where the law requires, extending only where the law permits for complex requests and telling the requester why.

A data subject's statutory right to complain to a supervisory authority is never routed into arbitration and is not affected by any commercial dispute-resolution clause.

The controlling procedure is our [Data subject request procedure](https://getsmartalex.com/legal/smartalex-dsar-procedure). Requests can be sent to [privacy@getsmartalex.com](mailto:privacy@getsmartalex.com).

## HIPAA posture

<Note>
  Our compliance materials do not represent SmartAlex as HIPAA-compliant, and HIPAA is not among the data-protection regimes the platform is currently designed around. We make no HIPAA certification claim. Customers with United States healthcare data requirements should contact our security team before processing protected health information.
</Note>

## Independent testing and vulnerability management

Dependency-vulnerability scanning, secret-scanning, and static analysis run continuously as part of our development lifecycle. Independent penetration tests are conducted periodically and before major releases, and remediation is tracked to closure. We triage reported and discovered vulnerabilities by severity, with critical issues prioritised for prompt fixing, and we operate a public route for good-faith researchers through our Vulnerability Disclosure Policy.

Summary penetration-test results are available to qualified customers and prospects under non-disclosure on request to [security@getsmartalex.com](mailto:security@getsmartalex.com).

## Assurance materials available under NDA

The following are shared with qualified customers and prospects on request, under non-disclosure.

<Steps>
  <Step title="Request access">
    Email [security@getsmartalex.com](mailto:security@getsmartalex.com) from a corporate address, with your organisation and the review you are running.
  </Step>

  <Step title="Sign an NDA">
    We share the materials below once a non-disclosure agreement is in place.
  </Step>

  <Step title="Receive the package">
    You receive the assurance materials relevant to your assessment.
  </Step>
</Steps>

<AccordionGroup>
  <Accordion title="Data Protection Impact Assessment (DPIA)">
    Our Article 35 assessment of the voice and AI pipeline, including data flows, lawful bases, transfer safeguards, and the residual-risk evaluation. A summary is also published at the [DPIA notice](https://getsmartalex.com/legal/smartalex-data-protection-impact-assessment-dpia).
  </Accordion>

  <Accordion title="Vendor risk materials">
    Our supporting vendor risk materials, including the vendor risk register that records the review of every third party that touches customer data.
  </Accordion>

  <Accordion title="Sub-processor assurance">
    Sub-processor security questionnaires and our infrastructure providers' SOC 2 and ISO 27001 reports.
  </Accordion>

  <Accordion title="Penetration tests and recovery objectives">
    Summary penetration-test results and our recovery-time and recovery-point objectives.
  </Accordion>
</AccordionGroup>

## Contact

<CardGroup cols={2}>
  <Card title="Security and due diligence" href="mailto:security@getsmartalex.com">
    Security questions, assurance materials under NDA, and current certification status.
  </Card>

  <Card title="Privacy and data subject requests" href="mailto:privacy@getsmartalex.com">
    Privacy questions and requests to exercise data subject rights.
  </Card>
</CardGroup>

For the complete and authoritative statement, read the full [Trust and Security Overview](https://getsmartalex.com/legal/smartalex-trust-and-security). It is the version that prevails.
