Compliance
What we attest to, what we’re working toward, and what is intentionally out of scope.
In progress
- SOC 2 Type I: targeted.
- ISO 27001: candidate; scoping underway.
Covered today
- GDPR: covered via account-deletion cascade, a published subprocessors list, our 72-hour breach notification commitment, and a DPA.
- CCPA / CPRA: covered via the deletion cascade and our privacy policy.
Out of scope
- PCI DSS: out of scope. Stripe handles all card processing under their PCI-DSS Level 1 attestation; Smoov never sees raw card data.
- HIPAA: out of scope. Smoov does not process protected health information.
Security changelog coming soon. Material updates to our compliance posture will surface there.