Compliance & Certifications

Enterprise customers need compliance. Auditors ask for certifications. Legal demands data residency. We have answers. SOC 2, GDPR, CCPA covered.

Why Compliance Matters

Compliance isn't paperwork. It's proof you protect customer data.

What compliance gets you:

• Enterprise deals: 78% of Fortune 500 require SOC 2
• Legal protection: GDPR violations cost up to €20M or 4% revenue
• Customer trust: 86% won't use services without privacy compliance
• Reduced insurance: Cyber insurance premiums drop 15-30% with certifications

No compliance? You lose deals. Face fines. Risk lawsuits.

SOC 2 Type II Certification

SOC 2 (Service Organization Control 2) proves we protect customer data.

What SOC 2 covers:

• Security: Unauthorized access prevention, firewalls, encryption
• Availability: 99.9% uptime SLA, redundancy, disaster recovery
• Confidentiality: Data encryption, access controls, secure deletion
• Privacy: GDPR/CCPA alignment, data minimization, user rights
• Processing Integrity: Accurate data processing, error handling, quality assurance

Type II vs Type I:

Type I is snapshot (controls exist on one day). Type II is continuous (controls worked for 6-12 months). We have Type II.

Annual audits: Independent auditor (Big 4 accounting firm) tests our controls. Report available to enterprise customers under NDA.

GDPR Compliance (EU)

General Data Protection Regulation. Applies to any company processing EU resident data.

Key requirements we meet:

Article 32 - Security:

• AES-256 encryption for data at rest
• TLS 1.3 for data in transit
• Regular security testing and audits
• Pseudonymization and encryption of personal data

Article 17 - Right to Erasure (Right to be Forgotten):

Settings → Privacy → "Delete My Account" → Permanent deletion within 30 days. We erase:

• Profile data and browser sessions
• Account credentials
• Billing history (except what law requires we keep)
• Audit logs with personal identifiers

Article 15 - Right to Access:

Request full copy of your data: Settings → Privacy → "Export My Data" → JSON file with everything we store.

Article 20 - Data Portability:

Export profiles in standard format. Move to another provider if you want.

Article 33 - Breach Notification:

If breach occurs, we notify affected users within 72 hours. Includes what happened, what data was affected, what we're doing about it.

CCPA Compliance (California)

California Consumer Privacy Act. Applies to California residents.

CCPA rights we support:

• Right to Know: What personal data we collect, why, who we share with
• Right to Delete: Request deletion of personal data (same as GDPR)
• Right to Opt-Out: Stop sale of personal data (we don't sell data)
• Right to Non-Discrimination: Same service quality regardless of privacy choices

What data we collect:

We don't sell your data. Period. No third-party advertising. No data brokers.

ISO 27001 (In Progress)

Information Security Management System (ISMS) certification.

Status: Gap analysis complete. Implementation underway. Audit scheduled Q3 2024.

What ISO 27001 adds:

• Formal risk management framework
• Documented security policies and procedures
• Regular internal audits
• Continuous improvement process

Industry-Specific Requirements

Healthcare (HIPAA):

Multilogin doesn't process Protected Health Information (PHI) directly. If you're a covered entity, you must:

• Sign Business Associate Agreement (BAA) with us
• Use Enterprise plan with enhanced encryption
• Enable audit logging for all team members
• Implement access controls (roles and permissions)

Contact enterprise@multilogin.io for BAA.

Finance (PCI DSS):

We don't store credit card data. Stripe (PCI Level 1 certified) handles all payments.

If you use Multilogin to access systems with cardholder data:

• Don't store card numbers in profiles
• Use dedicated profiles for payment systems
• Enable 2FA for all team members
• Review audit logs monthly

Data Residency

Where we store your data:

Cross-border transfers: EU data stays in EU. No transfer to US unless customer explicitly enables it.

Changing regions: Settings → Data Residency → Select region → Migrate (takes 24-48 hours).

Audit and Reporting

What you can audit:

• User actions (profile launches, edits, deletions)
• Permission changes (role updates, access grants)
• Security events (logins, 2FA changes, API key usage)
• Data exports (who downloaded what, when)

Export formats: CSV, JSON, PDF

Retention:

• Solo plan: 30 days
• Team plan: 90 days
• Enterprise plan: 1 year

Need longer retention? Enterprise customers can stream logs to SIEM (Splunk, Datadog) via API.

Subprocessors

Third parties we use to deliver service:

All subprocessors sign Data Processing Agreements (DPAs) with GDPR-compliant terms.

Full subprocessor list: multilogin.io/legal/subprocessors

Security Questionnaires

Enterprise procurement sends security questionnaires. We've pre-answered common ones:

• CAIQ (Consensus Assessments Initiative Questionnaire): Cloud security controls
• SIG (Standard Information Gathering): Shared Assessments questionnaire
• VSAQ (Vendor Security Assessment): Google's vendor security assessment

Request completed questionnaires: enterprise@multilogin.io

Compliance Best Practices for Customers

• Enable 2FA: For all team members (Owner can enforce)
• Review audit logs: Weekly for suspicious activity
• Rotate API keys: Every 90 days minimum
• Use scoped permissions: Least privilege principle
• Document procedures: Who can access what, when, why
• Export logs regularly: For long-term retention and audits
• Sign DPA: Enterprise customers should sign Data Processing Agreement