Your data is protected at enterprise grade
Built for teams that can't compromise on security. Everything a SOC 2 auditor asks for — ready in one click.
- AES-256 at rest · TLS 1.3 in transit
- 99.95% uptime
- Audit logs 6+ years
General Data Protection Regulation
If your business touches EU residents, GDPR isn't optional. Easylim ships an EU-only data plane, a countersigned DPA with SCCs, and self-service tooling for every right under Articles 15-22. The 'right to be forgotten' takes a click, not a Jira ticket.
What we do
EU Data Residency
EU-only data plane: tasks, documents, attachments and metadata stay in Frankfurt region. No transit through US infrastructure. Available on every plan.
Countersigned DPA
Standard DPA with Standard Contractual Clauses (SCCs) for cross-border transfers. Countersigned within 2 business days. Customer redlines accepted.
Subject-Rights Tooling
Self-service export of every personal data — Article 15 access, 16 rectification, 17 erasure, 20 portability — all in the admin UI.
Lawful Basis Documentation
Per-tenant configuration of cookie consent and retention windows. Lawful basis documented in Records of Processing.
Sub-Processor Transparency
Published sub-processor list with processing scope and country. 30-day notice before adding any new one.
Breach Notification — 72 hours
Internal incident response targets 72-hour notification — well inside the GDPR Article 33 window. Notification includes scope, mitigation, timeline.
What we hand to auditors
Data Processing Agreement
Countersigned in ≤2 business days, with SCCs for cross-border transfers.
Records of Processing
Article 30 RoPA extract for Easylim as processor, mapped to your tenant.
Sub-processor list
Current sub-processors with country of operation — public on /compliance.
Transfer Impact Assessment
TIA for US sub-processors per Schrems II — on request.
Service Organization Control 2 — Type II
SOC 2 isn't a regulation, it's a question every B2B buyer's security team asks before signing: 'Can you send us your report?' Easylim is audit-ready against the AICPA Trust Services Criteria — Security, Availability, and Confidentiality — with our readiness status and artifacts available under NDA.
What we do
Type II Audit — Annual
Independent third-party audit covering a minimum 6-month observation window. Renewed every year without lapse.
Security — TSC CC6 Controls
Logical and physical access controls, encryption at rest and in transit, change management with peer review, vulnerability scanning quarterly, pen-testing annually.
Availability — 99.95% Uptime SLA
Multi-region active-active infrastructure with documented failover playbooks. 99.95% uptime commitment with service credits. Live status page.
Confidentiality — Data Handling
Customer data isolated per-tenant with encryption keys scoped per-org. No customer data used for model training or marketing without explicit opt-in.
Vendor & Sub-Processor Management
Published sub-processor list. Customers get 30 days' notice before any new sub-processor processes their data. DPA available on request.
Incident Response
24/7 on-call rotation, documented runbooks for the top-20 incident classes, post-mortems within 5 business days.
What we hand to auditors
SOC 2 Type II Report
Full audit report under NDA — request via [email protected].
Sub-Processor List
Current sub-processors with data-handling scope — published.
Penetration Test Report
Annual third-party pen-test summary, sanitized version under NDA.
Customer DPA
Standard Data Processing Agreement (countersign-ready) on request.
ISO/IEC 27001:2022 — Information Security Management
ISO 27001 is the most widely recognized international standard for managing information security. Easylim builds its ISMS against the 2022 revision — meaning our processes (not just our technology) are ready for external audit. Readiness package and Statement of Applicability available on request under NDA.
What we do
ISMS — Full Management System
Documented security policy, risk management, data classification, asset register. Reviewed quarterly by top management.
Access Control — A.9
RBAC, MFA for admin roles, SSO/SAML on every plan. Termination workflow — under 5 minutes from offboarding to revocation.
Cryptography — A.10
AES-256 at rest, TLS 1.3 in transit. Key management via AWS KMS / Cloud HSM. Quarterly key rotation.
Operations Security — A.12
Change management with mandatory peer review. Patch management — critical CVEs closed within 48 hours. Quarterly backup-recovery drills.
Supplier Security — A.15
All sub-processors go through security review. Contractual obligations for confidentiality, audit rights, breach notification.
Incident Management — A.16
Documented runbooks, 24/7 on-call. Incident classification by severity. Customer-facing post-mortem for SEV-1.
What we hand to auditors
ISO 27001:2022 readiness status
Readiness report and Statement of Applicability — under NDA.
Statement of Applicability
SoA covering 93 Annex A controls — under NDA.
Surveillance Audit Report
Annual surveillance audit report.
Risk Assessment Summary
Sanitized risk register — under NDA.
California Consumer Privacy Act + CPRA
CCPA (amended by CPRA in 2023) gives California residents a set of rights over their personal information. Easylim covers every right with built-in tooling — no paid add-ons.
What we do
DSAR — Subject Access Request
Self-service export of all personal data tied to an email or user_id. Fulfilled inside the 45-day CCPA window (typically — within minutes).
Right to Delete
Delete an account and all linked personal data in one click. Request executed within 30 days.
Opt-Out of Sale
We don't sell personal data. "Do Not Sell My Personal Information" banner shown to California visitors.
Right to Correct
Customers can update any personal information in the admin UI themselves. Audit log records every edit.
Notice at Collection
Privacy Policy clearly lists categories of data collected and purposes of processing. Updated with every release.
Minor Protection
Easylim isn't intended for children under 16. Verification flow for new accounts. Parental opt-in for ages 13-16.
What we hand to auditors
Privacy Policy (CCPA Section)
Dedicated CCPA section with full list of data categories and rights.
DSAR Portal Demo
Demo of the self-service data request portal.
DSAR Response Metrics
Annual statistics on request fulfilment — public.
Customer DPA
DPA with CCPA addendum for business customers.
Can't find a document?
Talk to our security team
DPA, SOC 2 Type II report, ISO 27001 cert, sub-processor list — all available on request. We reply within one business day.
- GDPR
- 3 days
- SOC 2
- 2 days
- ISO 27001
- 4 days
- CCPA
- 3 days