Compliance

Targeting SOC 2 Type II Certification

EvidaraIQ is targeting SOC 2 Type II certification, demonstrating our commitment to security, availability, processing integrity, confidentiality, and privacy. Our controls are being designed to meet these rigorous standards and will be independently audited annually.

Audit Period: Annual | Auditor: Independent CPA Firm | Report Availability: Available under NDA for qualified prospects and customers

CJIS Security Policy Compliance

ClearPath.AI is designed to meet the security requirements of the Criminal Justice Information Services (CJIS) Security Policy, which governs access to criminal justice information systems.

Key CJIS Compliance Features

• Access Controls: Role-based access control with least privilege principles
• Authentication: Multi-factor authentication required for all user accounts
• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Audit Logging: Comprehensive, immutable audit logs of all system access and data processing
• Personnel Security: Background checks and security clearances for personnel with system access
• Incident Response: Documented procedures for security incident detection, response, and reporting
• Data Retention: Policies and procedures for secure data retention and disposal

We work closely with law enforcement agencies to ensure our platform meets their specific CJIS compliance requirements and can provide additional documentation upon request.

FedRAMP Authorization

EvidaraIQ is working toward FedRAMP (Federal Risk and Authorization Management Program) authorization to serve federal government customers. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services.

Data Protection Regulations

GDPR (General Data Protection Regulation)

For customers in the European Union and United Kingdom, we comply with GDPR requirements:

• Lawful basis for processing personal data
• Data subject rights (access, rectification, erasure, portability, etc.)
• Data protection impact assessments (DPIAs) where required
• Data processing agreements (DPAs) with customers
• Standard contractual clauses for international data transfers
• Breach notification procedures

CCPA (California Consumer Privacy Act)

For California residents, we comply with CCPA requirements:

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of sale of personal information (we do not sell personal information)
• Non-discrimination for exercising privacy rights

Other Regional Regulations

We monitor and adapt to evolving data protection regulations globally, including PIPEDA (Canada), LGPD (Brazil), and other applicable frameworks.

Industry Standards and Frameworks

ISO 27001 Alignment

Our information security management system is aligned with ISO 27001 standards, including:

• Information security risk management
• Security controls implementation and monitoring
• Continuous improvement processes
• Regular internal and external audits

NIST Cybersecurity Framework

Our security practices align with the NIST Cybersecurity Framework:

• Identify: Asset management, risk assessment, governance
• Protect: Access control, data security, protective technology
• Detect: Anomaly detection, security monitoring
• Respond: Response planning, communications
• Recover: Recovery planning, improvements

Third-Party Audits and Assessments

We undergo regular independent audits and assessments:

• Annual SOC 2 Type II Audits: Comprehensive examination of our security controls
• Penetration Testing: Regular third-party security assessments
• Vulnerability Assessments: Quarterly scans and assessments
• Code Security Reviews: Regular application security testing
• Customer Security Reviews: Support for customer security assessments and questionnaires

Data Processing Agreements (DPAs)

We offer comprehensive Data Processing Agreements that outline:

• Scope and purpose of data processing
• Technical and organizational security measures
• Data subject rights and our obligations
• Sub-processor management and notification procedures
• Data breach notification requirements
• Data retention and deletion procedures

DPAs are available for review and execution as part of our standard service agreements.

Chain of Custody and Evidence Integrity

ClearPath.AI maintains comprehensive chain of custody documentation that meets legal and regulatory standards:

• Immutable audit logs of all evidence access and processing
• Cryptographic hashing for evidence integrity verification
• Timestamped records of all system activities
• User attribution for all actions
• Exportable chain of custody reports for legal proceedings

Our platform is designed to produce evidence documentation that meets the standards required for admissibility in legal proceedings.

Compliance Documentation

We maintain comprehensive compliance documentation, including:

• Security policies and procedures
• Incident response plans
• Business continuity and disaster recovery plans
• Data retention and disposal policies
• Vendor management procedures
• Training and awareness materials

Certain compliance documentation is available to qualified prospects and customers under appropriate confidentiality agreements.

Continuous Compliance Monitoring

Compliance is not a one-time achievement but an ongoing process. We maintain continuous compliance through:

• Regular compliance assessments and gap analyses
• Monitoring of regulatory changes and updates
• Continuous improvement of security controls
• Regular training for personnel on compliance requirements
• Proactive engagement with regulatory bodies

Compliance Contact

For compliance-related inquiries, documentation requests, or compliance questionnaires, please contact: