Compliance by Design

Global Regulatory Compliance

AffixIO is architected from first principles to meet the world's most demanding data protection frameworks. Stateless processing means no personal data to protect at rest.

Trust & authorship: Kris & Becca Richens (AffixIO creators)

Expertise: Privacy-first, stateless verification patterns for identity, consent, authorization, policy, and verifiable proof/audit evidence.

Privacy: No PII stored; stateless processing. See Privacy Policy.

Last updated: March 23, 2026

No data stored Pseudonymised audit logs DPA available End-to-end encryption Zero retention architecture

Frameworks

Supported compliance frameworks

Detailed documentation, implementation guides, and compliance artefacts for every major regulatory framework.

GDPR
General Data Protection Regulation

EU and UK data protection law. AffixIO's stateless architecture eliminates most GDPR obligations by design — there is no personal data to process at rest.

  • Article 25 privacy by design and by default
  • Data minimisation and purpose limitation
  • Pseudonymised audit trails with retention controls
  • Data Processing Agreements for processors
Read GDPR documentation
HIPAA
Health Insurance Portability and Accountability Act

US healthcare data protection. AffixIO processes eligibility signals without storing PHI, enabling compliant healthcare verification workflows.

  • No PHI stored or transmitted unnecessarily
  • Minimum necessary standard applied by default
  • Business Associate Agreements available
  • Administrative, physical and technical safeguards
Read HIPAA documentation
CCPA
California Consumer Privacy Act

California's privacy law granting consumers rights over personal data. AffixIO's zero-retention model means minimal CCPA exposure for integrating businesses.

  • Right to deletion supported natively
  • No sale of personal information
  • Consumer opt-out signal support
  • Transparent data practice disclosures
Read CCPA documentation
LGPD
Lei Geral de Proteção de Dados

Brazil's comprehensive data protection law. AffixIO supports LGPD-compliant deployments for Brazilian markets with full legal basis documentation.

  • Purpose limitation and data minimisation
  • Transparent processing with legal basis
  • LGPD audit trail compliance
  • Consent management platform integration
Read LGPD documentation

Architecture

Compliance by architecture, not policy

🔒
Zero data retention

Personal data is never stored. Verification inputs are processed in memory and discarded immediately. There is nothing to breach, leak, or delete.

🧩
Stateless processing

Each verification request is fully independent. No session state, no cross-request data correlation, no persistent identifiers created by AffixIO.

🔍
Pseudonymised audit trails

Verification decisions are logged with pseudonymised tokens only. Logs meet regulatory audit requirements without containing identifiable personal data.

🛡️
End-to-end encryption

All data in transit is protected with industry-standard TLS. Verification payloads are encrypted at the application layer before transmission.

📋
Transparent legal basis

Every verification type includes documented legal basis for processing. DPAs and BAAs are available for enterprise deployments across all jurisdictions.

⚖️
Data minimisation by design

AffixIO only processes the minimum data required for a binary yes/no verification result. No raw data leaves the verification context.

Ready to deploy compliance-first verification?

Talk to the team about your regulatory requirements and how AffixIO fits your architecture.

Contact us View GDPR docs