UK GDPR
AlignedProcessor model, DPA, UK IDTA.
EU GDPR
AlignedProcessor model, DPA, SCCs 2021/914.
CCPA / CPRA
AlignedRights workflows, no sale of personal information.
ISO/IEC 27001:2022
Controls mappedISMS in operation. Certification roadmap.
ISO/IEC 42001 (AI)
Controls mappedAI management system aligned with ISO 42001.
SOC 2
Controls mappedSecurity, Availability, Confidentiality.
Cyber Essentials
AlignedFive core technical controls.
NIS2
AlignedIncident response & supply-chain controls.
EU AI Act
AlignedLimited-risk AI features with transparency.
DORA
On roadmapICT third-party controls for financial entities.
HIPAA
On roadmapBAA scope under evaluation.
FedRAMP
On roadmapUS-region deployment under evaluation.
Our approach
TrackProject is architected so each compliance framework is a configuration of the same underlying controls — encryption, RLS, audit logging, RBAC, lifecycle management and incident response. New frameworks plug into the same control set without re-architecting the platform. Evidence is maintained continuously rather than collected at audit time.
UK GDPR
Aligned. UK-based controller/processor model, DPA, UK International Data Transfer Addendum, data-subject-rights workflows, 72-hour breach notification, Record of Processing Activities maintained centrally.
EU GDPR
Aligned. Processor model, DPA, SCCs (2021/914), Article 28 contractual chain with subprocessors, transfer impact assessments where required.
CCPA / CPRA
Aligned. We do not sell personal information and we honour Do Not Sell or Share, Limit Use of Sensitive Personal Information, Access, Deletion and Correction requests. Workspace administrators handle requests from their End Users; account-level requests are handled directly.
ISO/IEC 27001:2022
Controls mapped. An Information Security Management System is in operation with policies, risk register, supplier management, internal audit and continuous improvement. Certification roadmap available on request.
ISO/IEC 42001:2023 (AI Management System)
Controls mapped. AI Management System aligned with ISO 42001 covering AI risk, lifecycle, transparency, oversight and continuous monitoring. Certification on roadmap.
SOC 2
Controls mapped. Security, Availability and Confidentiality Trust Service Criteria implemented; Type I and Type II reports on the roadmap. Bridge letter available to enterprise customers on request.
Cyber Essentials
Aligned with the five Cyber Essentials technical controls — firewalls, secure configuration, user access control, malware protection and patch management. Cyber Essentials Plus on the roadmap.
NIS2
Aligned. TrackProject's incident-response, supply-chain, governance and business-continuity controls map to the NIS2 directive obligations applicable to digital service providers operating in the EU.
EU AI Act
Aligned. TrackProject AI features are classified against EU AI Act risk categories. All current features fall within the limited-risk category and ship with transparency notices, citation requirements and human-in-the-loop controls. We monitor secondary legislation and harmonised standards as they emerge.
DORA (Digital Operational Resilience Act)
On roadmap. Where TrackProject acts as an ICT third-party service provider to in-scope financial entities, contractual and operational controls aligned with DORA Articles 28–30 are available under enterprise contracts.
HIPAA
On roadmap. TrackProject is not currently positioned as a HIPAA Business Associate. Customers must not upload Protected Health Information without a written addendum.
FedRAMP
On roadmap. A US-region deployment with FedRAMP-aligned controls is under evaluation for US federal and regulated enterprise customers.
Future frameworks
The compliance architecture is extensible — new frameworks (PCI DSS service-provider scope, TX-RAMP, IRAP, C5) can be added without re-platforming.
Evidence access
Enterprise customers and prospects can request the latest SOC 2 bridge letter, ISO 27001 Statement of Applicability extract, penetration-test summary and DPIA template under NDA from security@track-project.com.