Q: Is there an internal audit, risk management, or compliance department, or similar management oversight unit with responsibility for assessing, identifying, and tracking resolution of outstanding regulatory issues?
A: No, we do not have a dedicated department for this due to our size. However, one of our partners is responsible for overseeing these areas, managing infrastructure, IT, risk, and compliance with a team of sysadmins.
Q: Does your organization have a documented privacy policy for your customers? If Yes, please provide the policy and any applicable documents.
A: Yes, our privacy policy is documented and stored on our internal GitLab system. It states that all data is confidential, including customer names, which only management can disclose under specific circumstances.
Q: Is your organization adherent to any major laws such as GDPR?
A: We follow most GDPR regulations, and in 2025, we will engage third-party consultants to validate and ensure full compliance.
Q: Is there a documented internal compliance and ethics program to ensure professional ethics and business practices are implemented and maintained?
A: No, we do not have a formal document, but ethics are discussed in internal group meetings. Our onboarding process verbally covers ethics, customer data handling, and professional conduct.
Q: Does your organization conduct regular technical compliance reviews to ensure information systems comply with security policy standards, and at what frequency (e.g., quarterly, annually)?
A: Yes and no. While not strictly scheduled, we conduct compliance reviews at least three times a year and discuss these topics in management meetings.
Q: Are there specific certifications or attestations (e.g., SOC 2 Type II, PCI DSS) that your organization has achieved?
A: Yes, we have been SOC 2 certified since 2022. Additionally, we are in the process of completing ISO 27001 certification, which we expect to finalize in the coming months.
Q: Do you have mechanisms for tracking and reporting on new or changing legal and regulatory requirements?
A: Yes, we stay updated on evolving legal and regulatory requirements with the assistance of third-party consultants who specialize in compliance and industry standards.
