Skip to content
TapPass Internal

Compliance program

Frameworks

Section titled “Frameworks”
FrameworkStatusOwnerCustomer-facing evidence
GDPRIn productionJens (DPO delegate)DPA, Art. 30 export via /audit?event_type=pii_detected
EU AI ActPartial (Art. 14 human oversight)Eng leadBreak-glass audit, agent health endpoint
SOC 2 Type IITarget: Q3 2026TBDAudit trail integrity endpoint + signing key
DORA (EU banking)RoadmapTBD
ISO 27001Not pursued yet

GDPR

Section titled “GDPR”
  • Controller: our customers. We are the processor for customer tenant data.
  • DPA template: trust.tappass.ai/dpa
  • Subprocessors list: trust.tappass.ai/subprocessors
  • Data-subject requests from our customers’ end users → route to the customer; we provide tooling via /audit?data_subject=...

EU AI Act

Section titled “EU AI Act”

Relevant articles for us:

  • Article 14 — Human oversight. Satisfied via the break-glass mechanism and the agent health endpoint; see Compliance Evidence in the public docs.
  • Article 15 — Accuracy, robustness, cybersecurity. Covered by our detection backends and audit trail integrity.
  • Article 10 — Data governance. Partially covered; we track data sources via the audit trail but rely on the customer to classify.

SOC 2 Type II target

Section titled “SOC 2 Type II target”

Controls we need to demonstrate operational effectiveness over a 6-month observation period:

Observation window starts when we have all these documented and operating consistently. Target start: Q1 2026 actually underway; Type II report aim: Q3 2026.

Customer asks

Section titled “Customer asks”

Common asks and where the answer lives:

AskAnswer
”Share your SOC 2 report”Not yet issued. Reference the program letter at trust.tappass.ai/soc2-letter
”Share your penetration test report”Available under NDA — ask Jens
”List your subprocessors”trust.tappass.ai/subprocessors
”Do you support EU data residency?”Yes, per provider — see public docs integrations/providers/
”GDPR Art. 30 export”Run the compliance-evidence script from public docs