$3.05 billion in reported losses to business email compromise in 2025 (FBI IC3).See the numbers by country →

Framework by framework

FrameworkPositionStateNote
UK GDPR & DPA 2018Working towardPartialRegistered with the ICO (ZC064795). Processor by default on the main data path; DPA, Privacy Notice, and records of processing are being formalised.
EU GDPRIn scope for EU customersPartialApplies extraterritorially (Art. 3(2)) for EU customers such as the Swedish pilot; intended to be addressed via EU SCCs and the UK IDTA/Addendum. The EU controller → UK processor → US sub-processor transfer chain is still being confirmed with counsel before signing (see the DPA).
ISO/IEC 27001:2022Readiness, not certifiedPlannedReadiness work underway (gap assessment against the standard); not a completed or audited programme. Physical controls inherited from Hetzner. Not currently certified.
CSA CAIQ v4Self-assessmentPartialPublished per-domain self-assessment with a downloadable copy — not an audit.
SOC 2Not auditedPlannedGated on first US enterprise demand.
NIS2Not directly in scopeNot applicableWe are a UK entity and not an in-scope operator. These artefacts help EU customers discharge their own Art. 21(2)(d) supply-chain diligence about us.
PCI DSSNot applicableNot applicableWe process bank-account identifiers, never cardholder data.
PSD2 / FCA authorisationOut of scopeNot applicableNot a payment service provider; we never initiate, hold, or move funds.

Data protection

Our primary regime is UK GDPR and the Data Protection Act 2018, supervised by the ICO. For EU customers such as our Swedish pilot, EU GDPR also applies extraterritorially. The UK GDPR & DPA 2018 page sets out our controller/processor roles, breach clocks, and data-subject handling.

Payments and fraud regulation

Because PayHQ sits next to money, reviewers ask where payments regulation lands. It mostly does not, and we say why plainly:

  • PSD2 / e-money. Out of scope — we are not a payment service provider and never initiate, hold, or move funds.
  • FCA authorisation. Not required for the current product. A payment-initiation or payment-institution licence is trigger-gated to features we have not built.
  • PCI DSS. Not applicable — we process bank-account identifiers, never cardholder data.
  • NIS2. We are a UK entity and not an in-scope operator. These artefacts help EU customers discharge their own Art. 21(2)(d) supply-chain due diligence about us.

Ask us

Need something not listed — a completed questionnaire, our ISO readiness detail, or artefacts under NDA? Email [email protected].

Operated by FIT PUP LTD · Company no. 15766852 · ICO ZC064795

Last reviewed 2026-07-13 · Next review by 2026-10-13 · [email protected]