Enterprise-grade compliance,
without compromise.

SOC 2 Type II (audited annually by an independent CPA firm), ISO 27001 (information security management), HIPAA-aligned controls for healthcare workloads, GDPR-compliant for EU customer data, CCPA-compliant for California residents, and EU-US Data Privacy Framework (DPF) certified. The current audit reports are available on request under NDA. Trust-center documents are published at stacksync.com/security.

Stacksync supports HIPAA-aligned deployments under a Business Associate Agreement (BAA). HIPAA-eligible plans run on isolated infrastructure with audit logging, encryption, customer-managed keys, and minimum-necessary access controls. The BAA is signed at the start of any healthcare engagement. Common HIPAA use cases include EHR-to-CRM sync, claims sync between billing platforms, and lab-result routing.

Data is processed in your chosen region: US (Virginia / Oregon), EU (Frankfurt / Ireland), or APAC (Singapore / Tokyo). Region pinning is enforced at the infrastructure layer — no customer data leaves the chosen region for any reason. Multi-region deployments are supported for enterprises with cross-regional sync needs. Backup data is replicated within the same region only.

Yes — the full SOC 2 Type II report is available under NDA. Request it through your account team or the contact form. The report covers a 12-month audit period and is renewed annually. For initial security reviews, the executive summary is available without NDA. Many enterprise customers also request our ISO 27001 certificate and most recent penetration test summary at the same time.

Yes. Stacksync acts as a data processor under GDPR with a standard Data Processing Addendum (DPA) signed at contract. EU customer data is processed in EU regions only (Frankfurt or Ireland) when EU region pinning is enabled. Data subject access requests (DSAR) are supported via the dashboard: search for a customer, export their data, or delete on request. Audit trails of access and modifications are retained per GDPR Article 30.

Yes — CMEK is available on enterprise plans. Stacksync can encrypt customer data and credentials with keys managed in your AWS KMS or GCP KMS account. The Stacksync platform never holds the master key; if you revoke access, all encrypted data becomes unreadable until access is restored. CMEK supports key rotation, BYOK lifecycle, and external HSM integration.

The dashboard includes a DSAR tool: search by email, name, or external ID; export the data subjects records as JSON or CSV; or delete on request. All DSAR actions are audit-logged. For complex deletion (where data has propagated through many sync paths), the platform shows the downstream systems affected before executing. Custom DSAR workflows can be built using the workflow engine.