What we can evidence today, and what we're still building.
We label each artefact by what it actually is — a self-assessment, a readiness extract, or a scoping statement — never as an audit or a certificate we do not hold. A confident 'not applicable, and here's why' is part of the picture.
Framework by framework
| Framework | Position | State | Note |
|---|---|---|---|
| UK GDPR & DPA 2018 | Working toward | Partial | Registered with the ICO (ZC064795). Processor by default on the main data path; DPA, Privacy Notice, and records of processing are being formalised. |
| EU GDPR | In scope for EU customers | Partial | Applies extraterritorially (Art. 3(2)) for EU customers such as the Swedish pilot; intended to be addressed via EU SCCs and the UK IDTA/Addendum. The EU controller → UK processor → US sub-processor transfer chain is still being confirmed with counsel before signing (see the DPA). |
| ISO/IEC 27001:2022 | Readiness, not certified | Planned | Readiness work underway (gap assessment against the standard); not a completed or audited programme. Physical controls inherited from Hetzner. Not currently certified. |
| CSA CAIQ v4 | Self-assessment | Partial | Published per-domain self-assessment with a downloadable copy — not an audit. |
| SOC 2 | Not audited | Planned | Gated on first US enterprise demand. |
| NIS2 | Not directly in scope | Not applicable | We are a UK entity and not an in-scope operator. These artefacts help EU customers discharge their own Art. 21(2)(d) supply-chain diligence about us. |
| PCI DSS | Not applicable | Not applicable | We process bank-account identifiers, never cardholder data. |
| PSD2 / FCA authorisation | Out of scope | Not applicable | Not a payment service provider; we never initiate, hold, or move funds. |
Data protection
Our primary regime is UK GDPR and the Data Protection Act 2018, supervised by the ICO. For EU customers such as our Swedish pilot, EU GDPR also applies extraterritorially. The UK GDPR & DPA 2018 page sets out our controller/processor roles, breach clocks, and data-subject handling.
Payments and fraud regulation
Because PayHQ sits next to money, reviewers ask where payments regulation lands. It mostly does not, and we say why plainly:
- PSD2 / e-money. Out of scope — we are not a payment service provider and never initiate, hold, or move funds.
- FCA authorisation. Not required for the current product. A payment-initiation or payment-institution licence is trigger-gated to features we have not built.
- PCI DSS. Not applicable — we process bank-account identifiers, never cardholder data.
- NIS2. We are a UK entity and not an in-scope operator. These artefacts help EU customers discharge their own Art. 21(2)(d) supply-chain due diligence about us.
Ask us
Need something not listed — a completed questionnaire, our ISO readiness detail, or artefacts under NDA? Email [email protected].