Placino Docs
Back to Security

Compliance Mappings

Placino aligns with major data protection and security frameworks. This page maps our architecture, features, and controls to GDPR, HIPAA, SOC 2, ISO 27001, and CCPA requirements.

GDPR Compliance

Article 5 - Principles

Lawfulness, fairness, transparency: Bearer token authentication and policy-driven queries ensure only authorized processors access data.

Purpose limitation: OPA policies enforce query authorization rules tied to declared use cases.

Data minimization: Federated analytics returns aggregates only, not raw individual records.

Accuracy: Audit logs track all data modifications via Merkle-chain audit trail.

Storage limitation: Data retention policies and automated purge controls enforce deletion timelines.

Article 25 - Data Protection by Design

Placino encrypts data at rest (AES-256-GCM) and in transit (mTLS). Zero-trust authorization model and cryptographic audit chain are built into the platform core.

Article 30 - Records of Processing

Placino provides automated compliance reporting, data flow visualization, and audit logs for processing activity. DPA template is available.

Article 35 - Data Protection Impact Assessment

Risk assessment for joint processing arrangements. Placino's control mappings and threat model support DPIA completion.

Article 17 - Right to Erasure

Encrypted data segments can be deleted by purging the corresponding data encryption keys (DEKs). Deletion is verified via audit logs.

HIPAA Compliance

PHI Protection

Encryption in transit and at rest: All PHI encrypted with AES-256-GCM. TLS 1.2+ enforced for network traffic.

Access controls: HIPAA BAA guardrails in OPA policies. Query authorization verifies treatment purposes.

De-identification: Differential privacy algorithms for statistical queries. Federated analytics returns aggregates without PHI.

Business Associate Agreement

Placino executes BAAs with healthcare organizations. Covers processor obligations, breach notification, and audit cooperation.

Audit Controls

Merkle-chain audit logs record all PHI access with timestamps and user identity. Audit trail exports support HIPAA audit obligations.

SOC 2 Compliance

Trust Service Criteria Mapping

CC6 - Logical and Physical Access Controls

Bearer token authentication, OPA policy engine, encryption keys derived from credentials.

CC7 - System Monitoring

Merkle-chain audit logs with tamper detection. Real-time alerting for anomalous queries.

A1 - Availability

Multi-region deployment, automatic failover, 99.95 percent uptime SLA.

SOC 2 Type II Report

Annual SOC 2 Type II audit covering security, availability, and confidentiality. Audit period covers 12 months of control operation. Report available under NDA.

ISO 27001 Compliance

Information Security Management System

Placino maintains an ISO 27001 certified ISMS covering development, operations, and support. Annual audit verifies control effectiveness.

Control Implementation

A.9 - Access Control: Bearer token authentication, OPA policies, role-based authorization.

A.10 - Cryptography: AES-256-GCM encryption, TLS 1.2+ key derivation from bearer tokens.

A.12 - Operations Security: Secure deployment pipelines, secrets management, network segmentation.

A.13 - Communications Security: Encrypted data in transit, mTLS for service-to-service communication.

CCPA Compliance

Consumer Rights Support

Right to Know: Audit logs enable data flow tracking. Placino provides data portability exports.

Right to Delete: Key purging erases encrypted data. Deletion verified via audit logs.

Right to Opt-Out: OPA policies enforce data sale restrictions tied to CCPA categories.

Business Obligations

Service provider agreements available. Security controls aligned with CCPA requirements. Breach notification support included.

Data Residency and Sovereignty

Placino allows per-deployment configuration of data residency. Data can be kept within specific geographic regions to meet residency requirements for GDPR (EU), CCPA (California), and similar regulations.

Deployment options include single-region, multi-region with residency constraints, and air-gapped on-premises deployment.

Automated Compliance Reporting

Placino generates compliance reports for:

  • Data flow mappings and processing activity records
  • Audit log exports with query details and user actions
  • Control effectiveness assessments
  • Breach notification evidence
  • Right-to-erasure verification

For detailed compliance documentation, control assessment results, or to discuss your regulatory requirements, contact our compliance team.

Contact Compliance