Compliance
Program Status Matrix
| Program | Status | Notes |
|---|---|---|
| SOC 2 Type II | In Scope | Covers Hosted SCM, Commerce Gateway, Admin Control Plane; audit in preparation |
| HIPAA BAA | Available | Available for Healthcare and Pharma customers on Enterprise plans |
| GDPR / EU SCCs | Compliant | DPA with Module 2 SCCs available; data processed under US-EEA SCCs |
| CCPA / CPRA | Compliant | Better Data acts as CCPA Service Provider; does not sell Personal Data |
| ISO 27001 | Planned | Gap assessment complete; certification roadmap in progress |
| Penetration Testing | Annual | Third-party; executive summary available under NDA |
| SBOM (CycloneDX) | Available | On demand for Enterprise customers - aligns with NIST/CISA/HHS 405(d) |
Compliance by Vertical
| Vertical | Applicable Frameworks | Platform Capabilities |
|---|---|---|
| Healthcare / Pharma | HIPAA, HITECH, DSCSA, FDA 21 CFR Part 11, HHS 405(d) | BAA available; Loop Audit Trail (7yr retention); Signal Tags for drug traceability; CycloneDX SBOM |
| Retail / Manufacturing | SOC 2, ISO 27001, GS1/EPCIS | Signal Tags EPCIS adapter; Loop Audit Trail; SBOM; multi-tenant RBAC |
| Food & Beverage | FSMA, GFSI, GS1 Traceability | Signal Tags chain-of-custody; lot tracking; Loop Audit Trail; EPCIS 2.0 schemas |
| Construction | Supply chain compliance, procurement audit | Signal Tag product authentication; procurement Loop audit; material SBOM |
| General Enterprise | GDPR, CCPA/CPRA, SOC 2 | DPA with EU SCCs; Privacy Policy; Loop Audit Trail; RBAC; encryption |
Loop Audit Trail as Compliance Artifact
The loop-native architecture generates a tamper-evident audit trail as a first-class output of platform operation. This supports HIPAA (45 CFR sec. 164.312(b)), FDA 21 CFR Part 11, DSCSA, SOC 2, and ISO 27001 requirements without additional instrumentation.