Security certifications backing the platform
ISO 27001, SOC 2 Type II, PCI-DSS — current attestations available under NDA for Italy customers.
ISO 27001 — information security management
ISO 27001:2022 certification covers the platform, customer data systems and hub operations. Scope statement available on request. Surveillance audits annually, recertification every three years.
SOC 2 Type II — operational controls
SOC 2 Type II report covering Security, Availability, Confidentiality. Period covered: rolling 12 months. Bridge letter available between report dates.
PCI-DSS — card data handling
PCI-DSS SAQ-A scope: we never touch cardholder data ourselves — all payment processing via certified processor. Quarterly external scans. AoC available on request.
Italy — local data and SdI (Sistema di Interscambio)
Customer master data and order data stored in EU data centres. SdI (Sistema di Interscambio) flows for IVA 22% use a certified channel — keys rotated, logs retained per local fiscal law.
FAQ
Can we see your ISO 27001 certificate?
Yes — current certificate PDF shared under NDA, with scope statement.
SOC 2 report — how do we access it?
Full SOC 2 Type II report under NDA. Bridge letter between report dates.
Do you store card data?
No — SAQ-A scope. Payments via certified processor. Tokens only on our side.
Penetration tests?
External pentest annually by accredited firm — executive summary shared under NDA, full report for framework customers.
Sub-processors?
Full list of sub-processors with locations published — updated within 30 days of any change.