Cartrize
Contact sales

Compliance overview

Last updated: May 5, 2026

Purpose

This overview summarizes topics customers typically ask SaaS vendors about—not an exhaustive questionnaire. It aligns with mainstream cloud software practice and complements our Privacy Policy and Terms of Service. Operational controls evolve; specifics may lag product changes briefly although we endeavour to refresh this summary when materially different.

Organizational and technical security

  • Principle of least privilege for production access paired with SSO or individual accounts where collaborators support the Services.
  • Transport encryption widely deployed (HTTPS and TLS-aligned patterns) for browser and API pathways that we expose.
  • Secrets such as OAuth client credentials payment keys and databases connection strings confined to hardened configuration—not checked into code.
  • Periodic dependency maintenance plus monitoring for anomalies when practical at our scale.

We do not presently publish a SOC 2 Type II attestation—but we organize work so we can deepen audit evidence if enterprise customers formally require it.

Subprocessors and onward transfers

Like most hosted products, Cartrize engages specialized vendors—for example infrastructure and hosting regions, transactional email if used, payment processing, authenticated sign-in federation, database hosting or managed Postgres equivalents, telemetry or diagnostics, automated content analysis when those features activate, observability dashboards, backups, and domain-level anti-abuse services. Agreements include written data protection expectations.

Copies of personal data may traverse United States locales and other regions where subprocessors physically operate—we implement transfer safeguards where regulation demands them (EU Standard Contractual Clauses or equivalents when applicable alongside supplemental measures reasonable for the risk).

The Privacy Policy’s subprocessors wording remains authoritative for lawful basis cross references.

Privacy laws we design for

  • EEA, UK, and Switzerland: GDPR-style lawful bases, accountability records, data-subject workflows, consent refresh where needed, data-protection impact considerations for higher-risk processing, and international-transfer mechanisms with subprocessors handling personal data.
  • California and similar US privacy laws: Access, deletion, correction, and appeal workflows where statutes require them, plus transparency about disclosures.
  • Children: Services are not directed at children—see our Privacy Policy for corrective steps when we become aware of inadvertent processing.

Regulated sectors

Cartrize is a general-purpose capture and comparison tool. Unless a separate written agreement clearly states otherwise—for example a Business Associate Agreement for HIPAA or another industry-specific addendum—the Services are not offered as specialized regulated-industry software; buyers use them for everyday research-style workflows only. Buyers in regulated domains (financial services, insurance, housing fairness, automobiles, biometric data regimes, sanctioned jurisdictions, broker-dealer rules, and similar) should satisfy themselves—with their advisers—that capturing or comparing certain fields stays within applicable laws.

As AI-assisted features evolve, we monitor emerging obligations (such as evolving EU AI governance) proportionate to deployment risk.

Incident response

If we substantiate unauthorized access risking personal information we enact triage escalation notification where law compels—including regulator or data subject communications within statutory windows—and summarize lessons learned internally.

Data processing agreements

Where GDPR-style controller-processor wording is legally required—typically for organizational customers—we can provide or countersign an appropriate data-processing agreement referencing Standard Contractual Clauses or templates accepted by supervising authorities alongside a short security summary. Mention “Enterprise DPA” through Contact sales.

Questions

Use Contact sales tagging “Compliance” for procurement security reviews or DPIA questionnaires beyond this summary.