Skip to main content

Compliance

DgiDgi maintains compliance with industry standards and regulations for secure multi-tenant SaaS operations.

Compliance Framework

Regulation/StandardStatusScope
GDPRCompliantEU user data
UK-GDPRCompliantUK user data
CCPACompliantCalifornia consumers
HIPAAEnterpriseHealthcare (US)
SOC 2 Type IIIn ProgressPlatform operations
ISO 27001PlannedInformation security
LGPDCompliantBrazil user data
PIPEDACompliantCanada user data
PDPACompliantSingapore user data
APPICompliantJapan user data
DPDPCompliantIndia user data
POPIACompliantSouth Africa user data
PDPLCompliantMiddle East (UAE/KSA)
PIPACompliantSouth Korea user data
PDPOCompliantHong Kong user data
Privacy ActCompliantAustralia user data
PCI DSSN/ANo payment card storage

Global Compliance Coverage

DgiDgi provides data residency compliance across 15 regions worldwide:

Americas

RegionCompliance
US East (Virginia)CCPA, HIPAA, SOC2
US West (Los Angeles)CCPA, HIPAA, SOC2
Canada (Toronto)PIPEDA
South America (São Paulo)LGPD

Europe, Middle East, Africa

RegionCompliance
EU West (Frankfurt)GDPR
EU West UK (London)GDPR, UK-GDPR
EU North (Stockholm)GDPR
Middle East (Dubai)PDPL
Africa (Johannesburg)POPIA

Asia Pacific

RegionCompliance
SingaporePDPA
TokyoAPPI
MumbaiDPDP
SydneyPrivacy Act
Hong KongPDPO
SeoulPIPA

GDPR Compliance

Lawful Basis for Processing

Processing ActivityLawful Basis
Account managementContract performance
Service deliveryContract performance
Security monitoringLegitimate interest
AnalyticsLegitimate interest
Marketing (opt-in)Consent

Data Subject Rights

RightImplementationResponse Time
AccessData export feature30 days
RectificationAccount settingsImmediate
ErasureAccount deletion30 days
PortabilityJSON/ZIP export30 days
RestrictionAccount suspensionImmediate
ObjectMarketing opt-outImmediate

How to Exercise Rights:

  • Self-service via account settings
  • Email: privacy@dgidgi.one
  • Response within 30 days (extendable to 90 for complex requests)

Data Processing Agreements

  • Standard DPA available for all customers
  • Sub-processor list maintained and updated
  • Notification of sub-processor changes

International Data Transfers

Transfer MechanismApplication
EU-US Data Privacy FrameworkUS-based processors (where certified)
Standard Contractual Clauses (SCCs)All other international transfers
Supplementary MeasuresEncryption, access controls, data minimization

Data Localization Options (Enterprise):

  • EU-only data residency
  • Region-specific processing

SOC 2 Compliance

Trust Service Criteria

CriteriaStatusControls
SecurityImplementedAccess control, encryption, monitoring
AvailabilityImplementedRedundancy, backups, incident response
Processing IntegrityImplementedInput validation, error handling
ConfidentialityImplementedEncryption, access restrictions
PrivacyImplementedData handling, consent management

Key Controls

Security Certifications

Infrastructure Certifications

Our infrastructure providers maintain:

ProviderCertifications
CloudflareSOC 2, ISO 27001, PCI DSS
SupabaseSOC 2, HIPAA (optional)
Fly.ioSOC 2

Annual Assessments

  • Penetration testing (annual)
  • Vulnerability assessments (continuous)
  • Security audits (annual)

Audit Logging

Events Logged

CategoryEvents Logged
AuthenticationLogin, logout, failed attempts, MFA events
AuthorizationPermission changes, role assignments
Data AccessReads of sensitive data (configurable)
Data ModificationCreates, updates, deletes
ConfigurationSettings changes, integration updates
SecuritySecret access, key rotation, exports
AdministrativeMember management, billing changes

Log Format:

{
  "timestamp": "2024-01-15T10:30:00Z",
  "tenant_id": "tenant_abc",
  "user_id": "user_123",
  "action": "secret.accessed",
  "resource": "tenant_secret:456",
  "ip_address": "192.168.1.1",
  "user_agent": "...",
  "result": "success"
}

Log Retention

Log TypeRetentionAccess
Security audit logs1 yearAdmin + Compliance
Access logs90 daysAdmin
Application logs30 daysDevelopers
Debug logs7 daysDevelopers

Data Residency

Available Regions

Region CodeLocationComplianceAvailability
us-eastVirginia, USACCPA, HIPAA, SOC2All Plans
us-westLos Angeles, USACCPA, HIPAA, SOC2All Plans
ca-centralToronto, CanadaPIPEDAGrowth+
sa-eastSão Paulo, BrazilLGPDGrowth+
eu-westFrankfurt, GermanyGDPRAll Plans
eu-west-ukLondon, UKGDPR, UK-GDPRAll Plans
eu-northStockholm, SwedenGDPRGrowth+
me-southDubai, UAEPDPLEnterprise
af-southJohannesburg, SAPOPIAEnterprise
ap-southeastSingaporePDPAAll Plans
ap-northeastTokyo, JapanAPPIAll Plans
ap-southMumbai, IndiaDPDPGrowth+
ap-southeast-auSydney, AustraliaPrivacy ActGrowth+
ap-eastHong KongPDPOGrowth+
ap-northeast-krSeoul, South KoreaPIPAGrowth+

Regional Data Handling

Configure data residency via tenant settings or API:

PATCH /api/v1/regions/preferences/{tenantId}
{
  "primaryRegion": "eu-west",
  "dataResidencyRequired": true,
  "dataResidencyRegion": "eu-west",
  "complianceLevel": "gdpr"
}

Enterprise customers can configure:

  • Primary data storage region
  • Secondary region for failover
  • Data residency enforcement (data never leaves region)
  • Bring Your Own Storage (BYOS) for full data ownership

Incident Response

Classification

SeverityDescriptionResponse Time
CriticalData breach, service down1 hour
HighSecurity vulnerability, degraded service4 hours
MediumMinor security issue, partial outage24 hours
LowMinor issue, no security impact72 hours

Notification

Compliance Documentation

Available Documents

DocumentAvailability
Privacy PolicyPublic
Terms of ServicePublic
DPA (Data Processing Agreement)On request
Security WhitepaperOn request
Sub-processor ListOn request
SOC 2 ReportEnterprise (NDA required)

Request Documentation

Contact: compliance@dgidgi.one