Compliance & Certifications

GatesFlow is committed to maintaining the highest standards of data security, privacy, and regulatory compliance to protect your business.

Privacy & Data Protection

GDPR Compliant

EU General Data Protection Regulation

Full compliance with GDPR requirements for organizations processing EU residents' personal data.

  • ✓ Data Processing Agreements (DPAs) available
  • ✓ Right to access, rectification, and erasure
  • ✓ Data portability support
  • ✓ Breach notification procedures
  • ✓ Privacy by design and default

CCPA Compliant

California Consumer Privacy Act

Compliance with CCPA and CPRA requirements for California residents.

  • ✓ Transparency in data collection
  • ✓ Right to know and delete
  • ✓ Opt-out of data sales (we don't sell data)
  • ✓ Non-discrimination for exercising rights
  • ✓ Consumer request portal

Security Certifications

SOC 2 Type II

In Progress

Service Organization Control 2 - Type II Audit

Currently undergoing SOC 2 Type II audit, demonstrating our commitment to security, availability, processing integrity, confidentiality, and privacy.

Expected Completion: Q2 2025

SOC 2 Trust Service Criteria:

  • • Security - Protection against unauthorized access
  • • Availability - System availability for operation and use
  • • Processing Integrity - Complete, valid, accurate, and authorized processing
  • • Confidentiality - Protection of confidential information
  • • Privacy - Personal information handling per commitments

ISO 27001

Planned

Information Security Management System

Planning ISO 27001 certification to demonstrate our systematic approach to managing sensitive information and ensuring data security.

Target Date: Q4 2025

Industry Standards Support

GatesFlow is designed to support manufacturers operating under stringent quality management standards:

IATF 16949

Automotive Quality Management System standard for automotive production and service parts organizations.

ISO 9001

Quality Management System standard applicable to any organization regardless of size or industry.

AS9100

Quality Management System standard for the aerospace industry, including aviation, space, and defense.

Note: While GatesFlow supports workflows aligned with these standards, your organization is responsible for obtaining and maintaining its own certifications. Our platform provides tools to help you meet documentation and process requirements.

Payment Security

PCI DSS Compliant Payment Processing

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never store or process credit card information directly on our servers.

  • ✓ Tokenized payment processing
  • ✓ Encrypted payment data transmission
  • ✓ SCA (Strong Customer Authentication) for EU payments
  • ✓ 3D Secure support for added security

Data Residency & Transfer

Primary Data Center Locations: United States (US-East, US-West)

Backup Locations: Geographically distributed across multiple regions for redundancy

International Data Transfers

For customers in the European Economic Area (EEA), UK, and Switzerland, we ensure appropriate safeguards for international data transfers:

  • ✓ Standard Contractual Clauses (SCCs) approved by the European Commission
  • ✓ Data Processing Agreements (DPAs) available upon request
  • ✓ Adherence to adequacy decisions where applicable
  • ✓ Supplementary measures to ensure data protection

Enterprise customers can request specific data residency requirements. Contact sales@gatesflow.com for details.

Subprocessors

We engage carefully vetted subprocessors to provide our Services. All subprocessors are bound by data protection agreements and security requirements.

SubprocessorServiceLocation
Stripe, Inc.Payment ProcessingUnited States
Cloud Infrastructure ProviderHosting & InfrastructureUnited States
Email Service ProviderTransactional EmailsUnited States

We will notify customers of any changes to our subprocessors at least 30 days in advance.

Audit Rights & Documentation

Enterprise customers may request:

  • ✓ Security and compliance documentation
  • ✓ SOC 2 reports (when available)
  • ✓ Penetration testing summaries
  • ✓ Data Processing Agreements (DPAs)
  • ✓ Standard Contractual Clauses (SCCs)
  • ✓ Security questionnaire responses

For audit-related requests, contact: legal@gatesflow.com

Compliance Questions

For questions about our compliance posture, certifications, or to request compliance documentation:

General Compliance: compliance@gatesflow.com

Data Protection Officer: dpo@gatesflow.com

Legal / DPA Requests: legal@gatesflow.com

Security: security@gatesflow.com

This compliance page was last updated on October 28, 2025. We continuously work to enhance our security and compliance posture. Check back regularly for updates on our certification progress.