ethrocore.

    Legal

    Compliance

    Last updated: 17 September 2025

    Security & Privacy Program

    Ethrocore delivers security and privacy by design with deployment options across Google Cloud Platform (GCP), Amazon Web Services (AWS), Microsoft Azure, and supported on-prem/hybrid models. We tailor controls to industry obligations and regional laws. Frameworks: SOC 2 criteria-aligned controls with ISO-27001-informed practices. Encryption: TLS in transit; AES-256 at rest (or provider-equivalent). Customer-managed keys (CMK/KMS) available in supported tiers. Identity & Access: SSO/SAML/OIDC, MFA, RBAC/least privilege, just-in-time elevation where applicable. Network: VPC/VNet isolation, private endpoints/peering, security groups/NSGs, WAF options, egress controls. Monitoring & Logging: Centralized logging, SIEM integration, audit trails, anomaly detection. Vulnerability & Patch: Regular scanning, dependency management, patch SLAs, change control. Backups & DR: Encrypted backups, tested restore, RPO/RTO targets per plan, multi-AZ/region options. Secure SDLC: Code reviews, dependency checks, secrets management, pre-prod testing. Penetration Testing: Periodic third-party tests; executive summaries available under NDA. Incident Response: 24/7 on-call, triage/containment, customer notification obligations per law/contract.

    Framework-Specific Support

    SOC 2 (Type II-ready): control mapping, audit-friendly logging, change management, vendor risk processes. HIPAA: available under a BAA; safeguards include access control, PHI segregation, audit logging, breach notification pathways. GDPR/UK GDPR: DPA with SCCs where needed; data minimization, role-based access, portability tooling, regional hosting options. Saudi PDPL: data classification, retention/destruction controls, cross-border transfer assessments, and breach notification timelines in line with PDPL. Additional mappings — e.g., ISO 27001, NIST 800-53 — available by scope and Order.

    Data Residency & Multi-Cloud

    Select hosting regions (subject to availability) across GCP/AWS/Azure. We can implement single-cloud, multi-cloud, or hybrid architectures to meet resilience and regulatory needs.

    Sub-Processors

    We use vetted sub-processors under DPAs/BAAs as applicable. A current list is available on request; customers will be notified prior to material changes where required.

    Shared Responsibility

    Customers control user provisioning, access reviews, data classification, retention settings, tenant configurations, and third-party integrations. Customers remain responsible for lawful data collection and providing required end-user notices and consents.

    Compliance Documentation

    DPA (GDPR/UK GDPR/PDPL) and BAA (HIPAA) available upon request. Audit artifacts (e.g., penetration test summaries, policy excerpts) provided under NDA for due diligence.

    Contact

    Security: security@ethrocore.com Privacy: privacy@ethrocore.com