This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

CCPA and US state privacy

Are you GDPR and CCPA compliant?

• Yes, we are compliant with both GDPR and CCPA. However, the readiness assessment doesn't count as an official audit. If customers require an audit, an external auditor should be consulted.

Do I need an audit to prove CCPA compliance?

• No, you do not need an audit to prove CCPA compliance. However, some customers may request an audit as an extra step to confirm compliance.

Do I need to be concerned about CCPA today if the regulatory agency won't go live until a future date?

• Yes, the CPRA officially activates in January 2023 but has a one-year look-back period starting in January 2022. Businesses that are subject to CCPA should ensure compliance to avoid potential fines.

Does CCPA apply to non-profit organizations or government agencies?

• CCPA applies only to for-profit legal entities. Non-profit organizations and government agencies are exempt from CCPA.

If my business isn't located in California, do I still need to be CCPA compliant?

• Yes, if your business collects personal data from California residents and meets other thresholds (revenue, data volume, or data sales), you must comply with CCPA.

What are the CCPA requirements?

• CCPA compliance requires companies to: provide California residents with information about the collection of their personal data; allow them to opt-out of personal information sales; request disclosure of their personal data in a portable format; request deletion of their data; document personal information collection, processing, and sharing activities; implement security controls to protect personal information; assess CCPA compliance for vendors; and train personnel on CCPA requirements.

What is the time estimate for an employee to complete GDPR and CCPA training we've created?

• About 30 minutes each, including a quiz.

Which businesses need to be CCPA compliant?

• CCPA applies to businesses that collect data on California residents and meet one of these criteria: annual revenue of $25 million or more, possess data on more than 50,000 consumers, or earn more than half their revenue selling personal data.

Who needs to do CCPA training?

• Anyone touching, processing, or having access to CA personal data, but it can also be done for all employees for simplicity.

Cookies and consent

Do the cookies used in the Trust Centre require an EU-compliant cookie consent banner?

• No. The Trust Centre only uses essential cookies — specifically 3 first-party cookies that manage user states and track errors/performance. No personal data is shared with third parties for marketing or profiling, so no cookie consent banner or additional JavaScript is required to comply with EU regulations.

GDPR and regional privacy

Are there particular GDPR tests or tasks that would need to be completed by a legal counsel or reviewed by legal?

• Yes, tests involving legal documentation like the Data Processing Agreement test and privacy policy test.

Can a customer state to their customers they are GDPR compliant by going through readiness with us?

• Yes, if customers implement all required controls and processes during readiness, they should comply with GDPR laws. However, if their customers request a formal audit, they should undergo one with an external auditor.

Can we disable control GDPR-43 if we don't capture any biometric data?

• Yes. If your organization does not collect or process biometric data or any other special categories of personal data (as specified in the control requirements within the platform), you can disable control GDPR-43. The control is only applicable when special category data processing is in scope.

Do customers need an audit to prove GDPR compliance?

• No, customers do not need an audit to prove GDPR compliance. However, they must abide by GDPR if processing EU personal data. If their customers require a formal audit, they should seek an external auditor.

Do I need a GDPR Representative?

• GDPR representatives are required for companies processing EU/UK/EEA personal data as a controller or processor, without offices in the EU/UK/EEA, but offering goods/services or monitoring behavior in these regions. However, if processing is occasional and of low risk, a representative may not be needed.

Do we support the UK GDPR with GDPR or is that something they would have to do separately?

• UK GDPR, also known as the Data Protection Act of 2018, is very similar to the EU GDPR. If you are compliant with EU GDPR, you're likely compliant with UK GDPR. If there are minor differences, we can add a custom test and show evidence.

Do you adhere to an approved code of conduct or certification mechanism? (This may be used to demonstrate compliance with GDPR requirements)

• Yes, we maintain an internal code of conduct and provide compliant data protection agreements, following SCCs.

Do you offer outsourced Data Protection Officer (DPO) services for GDPR compliance?

• At this time, we do not offer outsourced Data Protection Officer (DPO) services as part of our platform, as this is a formal role that falls outside the scope of what we provide. However, we’re happy to recommend third-party providers such as [Prighter](https://prighter.com/) or [Verasafe](https://verasafe.com/managed-services/dpo-services), who specialize in this area.

  For more information regarding DPO services or our recommendations, please reach out to your Customer Success Manager, or our Success team at success@secureframe.com

How do I scope GDPR correctly?

• Specify if you're a data processor, data controller, or both. Enable or disable applicable requirements accordingly in Secureframe.

How do I scope GDPR or ISO 27701 frameworks based on data roles?

• Identify whether your organization is a Data Processor, Data Controller, or both. This affects requirement applicability in GDPR and ISO 27701. Mark requirements tagged as 'Processor' or 'Controller' as not applicable if they don’t align with your role. If both, keep all relevant requirements enabled in Secureframe.

Is an audit required to prove GDPR compliance?

• An audit is not required to prove GDPR compliance, but companies processing EU personal data must comply with GDPR. Some customers may request an audit as an additional step to verify compliance.

So does GDPR require customers to move to a UK-hosted environment to be compliant?

• No. As long as appropriate data protection measures are in place, UK GDPR does not require data residency within the UK.

What are the GDPR requirements?

• The GDPR requires companies to provide transparent information about personal data processing, allow data subjects to exercise their rights, and ensure data security through encryption, anonymization, and other measures. A Data Protection Officer (DPO) may need to be appointed in certain cases.

What if Secureframe’s data is still hosted in U.S. data centers—does that impact the customer’s GDPR compliance?

• No. Secureframe is treated as a vendor in this case. Customers would perform standard vendor risk and GDPR due diligence on Secureframe as part of their compliance obligations. Secureframe’s U.S. hosting does not compromise the customer’s ability to host their own data in Canada.

What is GDPR personal data?

• Under GDPR, personal data refers to information related to an identifiable EU person, such as names, email addresses, IP addresses, location data, medical data, and more.

Privacy policies and notices

What policies and procedures do you have in place when there is a request for personal data from public authorities?

• We do not disclose data in response to requests from public authorities unless required by law. We maintain a Data Transfer Impact Assessment and refer any requests for personal data back to the customer, who is the source of truth for their data.

Additional customer questions

What is the purpose of the Data Processing Agreement (DPA)?

• The DPA ensures that processors and subprocessors comply with GDPR/privacy processes.

Are you a data processor or controller in terms of data privacy?

• Secureframe is a data processor with respect to customer data.

Does Secureframe provide a "Personal Data Transfer Impact Assessment Form" and is there an additional cost associated with it?

• Yes, we do have a template for data protection impact assessment and it’s included as part of the relevant privacy frameworks (GDPR, ISO 27701, CPRA)

  There is not cost assuming the customer has access to the above frameworks where that is included.

Personal data is only processed based on the instruction of the controller. Can you give me an example of a processor for us?

• A processor could be any vendor that processes, stores, or handles personal data on behalf of the controller, such as AWS, GCP, Salesforce, Mailchimp, or Google Analytics. These vendors often have data processing clauses in their agreements.

What if the client asks us if they are a data processor or data controller?

• To determine whether your company is a data processor, data controller, or both, consult your legal team. Generally, if you decide the purpose and means of processing personal data, you are a data controller. If you process personal data based on another party's instructions, you are a data processor.