Trust | Compliance
Certifications and authorisations.
The list InfoSec teams ask about. Reports and certificates available under NDA via the Trust portal or by email to security@onefinops.com.
| Certification | Issuer / framework | Scope | Last certified | Cadence |
|---|---|---|---|---|
| SOC 2 Type II | Audited annually by a Big Four firm | Security, Availability, Confidentiality. Type II report covers a 12-month observation period. | 2026 | Annual |
| ISO 27001:2022 | Bureau Veritas | Information Security Management System covering OneFinOps platform, infrastructure and operations. | 2025 | Annual surveillance, 3-year recertification |
| DPDP (India) | Aligned with Digital Personal Data Protection Act 2023 | Lawful processing, consent management, data principal rights, breach notification, India-resident data hosting. | 2025 | Continuous |
| GDPR (EU) | Aligned with EU General Data Protection Regulation | Lawful basis for processing, data subject rights (access, deletion, portability), DPA, EU-resident hosting. | 2025 | Continuous |
On the roadmap
Certifications we are pursuing or have under continuous alignment.
-
PCI DSS
Q3 2026Payment-card data tokenisation; not currently in scope as we do not store full PAN data.
-
HIPAA BAA support
Q4 2026For healthcare customers handling PHI in OneFinOps documents.
-
CCPA / CPRA
ContinuousCalifornia consumer privacy rights honoured under our existing GDPR-aligned controls.
security@onefinops.com
SOC 2 Type II report, ISO 27001 certificate and pen-test summaries available under NDA. Customer-specific questionnaires (CAIQ, SIG) supported.