Compliance & Certifications

Last Updated: December 31, 2025

1. Current Compliance Status

1.1 GDPR (General Data Protection Regulation)

Status: Fully Compliant

As a Finland-based company operating in the European Union, we are fully compliant with GDPR requirements:

• Legal basis: Documented lawful basis for all data processing
• Data subject rights: Processes to fulfill all GDPR rights (access, rectification, erasure, portability, etc.)
• Data protection by design: Privacy considerations built into our products from the start
• Breach notification: 72-hour breach notification procedures in place
• Data Processing Agreements: GDPR-compliant agreements with all processors
• International transfers: Standard Contractual Clauses (SCCs) for transfers outside EU/EEA
• Records of processing: Documentation of all processing activities

1.2 Finnish Data Protection Laws

Status: Compliant

We comply with Finnish national data protection legislation (Tietosuojalaki 1050/2018) which implements GDPR requirements in Finland.

1.3 CCPA/CPRA (California Privacy Laws)

Status: Compliant for California Clients

For our California-based clients, we comply with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of sale (we do not sell personal information)
• Right to non-discrimination for exercising privacy rights

2. Framework Alignment

While working toward formal certifications, we align our practices with industry-recognized frameworks:

2.1 ISO/IEC 27001 – Information Security Management

Status: Aligned / Working Toward Certification

We design our Information Security Management System (ISMS) according to ISO 27001 principles:

• Risk assessment and treatment methodology
• Security policies and procedures
• Access controls and authentication
• Encryption and data protection
• Incident response procedures
• Business continuity planning
• Continuous improvement processes

Certification Target: 2025-2026

2.2 SOC 2 (Service Organization Controls)

Status: Aligned / Planning for Certification

We align our practices with SOC 2 Trust Services Criteria:

• Security: Protection against unauthorized access
• Availability: System uptime and reliability
• Processing Integrity: Accurate and authorized processing
• Confidentiality: Protection of confidential information
• Privacy: Collection, use, and disposal of personal information

Certification Target: 2026

2.3 NIST Cybersecurity Framework

Status: Implemented

We follow the NIST Cybersecurity Framework's five core functions:

• Identify: Asset management and risk assessment
• Protect: Access controls, data security, protective technology
• Detect: Security monitoring and anomaly detection
• Respond: Incident response planning and procedures
• Recover: Recovery planning and improvements

2.4 OWASP (Open Web Application Security Project)

Status: Implemented

For our AI product development, we follow OWASP secure coding practices:

• Protection against OWASP Top 10 vulnerabilities
• Secure development lifecycle
• Input validation and output encoding
• API security best practices
• Regular dependency updates and vulnerability scanning

3. Cloud Provider Compliance

Our infrastructure leverages enterprise cloud providers (AWS, Microsoft Azure, or Google Cloud), benefiting from their extensive compliance certifications:

3.1 Cloud Provider Certifications

Our chosen cloud providers maintain certifications including:

• ISO 27001, ISO 27017, ISO 27018 (Cloud security and privacy)
• SOC 2 Type II
• GDPR and EU data protection compliance
• PCI DSS (for payment processing, when applicable)
• HIPAA (for healthcare data, when applicable)

3.2 Shared Responsibility Model

We follow the cloud shared responsibility model:

• Cloud Provider Responsibility: Physical infrastructure, network, and hypervisor security
• Our Responsibility: Data encryption, access controls, application security, and compliance configuration

4. Industry-Specific Compliance Readiness

While we don't currently hold industry-specific certifications, we can adapt our practices to meet client requirements in regulated industries:

4.1 Healthcare (HIPAA)

For healthcare clients requiring HIPAA compliance:

• We can execute Business Associate Agreements (BAAs)
• Implement additional administrative, physical, and technical safeguards
• Follow HIPAA Security Rule requirements
• Maintain audit trails and access logs

4.2 Finance (PCI DSS)

For clients requiring payment card data protection:

• We avoid storing payment card data directly when possible
• Use PCI DSS-compliant payment processors
• Implement network segmentation and encryption
• Follow PCI DSS security requirements

4.3 Government and Public Sector

For government clients:

• Compliance with EU public sector data protection requirements
• Alignment with NIST standards
• Ability to meet jurisdiction-specific data residency requirements

5. Data Protection and Privacy Practices

5.1 Privacy by Design and Default

• Privacy considerations integrated from the start of product development
• Data minimization - collecting only necessary information
• Purpose limitation - using data only for stated purposes
• Default privacy settings
• Transparent privacy practices

5.2 Data Processing Agreements

All vendors and subprocessors who handle personal data on our behalf sign Data Processing Agreements (DPAs) that include:

• GDPR-compliant processing terms
• Security and confidentiality obligations
• Sub-processor notification and approval
• Data subject rights fulfillment procedures
• Breach notification requirements
• Data return and deletion procedures

6. Security Practices and Controls

Our security practices support our compliance requirements:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access controls: Multi-factor authentication and least privilege access
• Monitoring: Security logging and regular access reviews
• Incident response: Documented procedures for security incidents
• Backups: Encrypted backups with tested recovery procedures
• Vulnerability management: Regular updates and security testing

7. Audit and Assessment

7.1 Internal Assessments

• Regular review of security controls and practices
• Gap analysis against compliance frameworks
• Documentation of compliance measures
• Continuous improvement based on findings

7.2 Client Assessments

We welcome client security and compliance assessments:

• Security questionnaire completion
• Documentation sharing (under NDA)
• Discussions about our practices and roadmap
• Participation in client audit processes

8. Certification Roadmap

As we grow our client base and scale our operations, we are working toward formal certifications:

8.1 Near-Term (2025-2026)

• ISO 27001: Information Security Management System certification
• SOC 2 Type II: Service Organization Controls audit
• ISO 27701: Privacy Information Management (extension of ISO 27001)

8.2 Medium-Term (2026-2027)

• ISO 27017/27018: Cloud security and privacy controls
• Industry-specific certifications: Based on client needs (HIPAA, PCI DSS, etc.)

8.3 Long-Term Goals

• FedRAMP: For US government clients (if applicable)
• Additional regional certifications: As we expand geographically

9. Transparency and Documentation

We maintain comprehensive documentation of our compliance practices:

• Security policies and procedures
• Risk assessments and treatment plans
• Data processing records
• Vendor agreements and DPAs
• Incident response procedures
• Training materials and records

This documentation is available to clients under Non-Disclosure Agreement (NDA) for due diligence purposes.

10. Requesting Compliance Information

We're happy to discuss our compliance practices and provide documentation to prospective and current clients.

To Request Compliance Materials:

Email: contact@trislaa.com

Please Include:

• Your company name and contact information
• Specific certifications or documentation needed
• Purpose of request (vendor assessment, RFP, due diligence)
• Timeline requirements

We typically respond within 2-3 business days.

11. Contact Information

For compliance questions, certification inquiries, or regulatory discussions:

Trislaa Compliance Team
Email: contact@trislaa.com
Location: Finland (European Union)