Compliance Overview
Last Updated: 2026-02-12
Our Commitment#
cloak.business is built on the principle that privacy protection must be grounded in regulatory compliance. We maintain certifications, policies, and processes that ensure our platform meets the highest standards for information security and data protection.
Certifications and Standards#
ISO 27001:2022 -- Information Security Management System#
cloak.business operates under an ISO 27001:2022 certified information security management system (ISMS). This internationally recognized standard ensures that we systematically manage sensitive information through a comprehensive set of security controls, risk assessments, and continuous improvement processes.
Our ISMS covers:
- Information security policies and organizational structure
- Human resource security and awareness training
- Asset management and classification
- Access control and authentication
- Cryptographic controls
- Physical and environmental security
- Operations and communications security
- System acquisition, development, and maintenance
- Supplier relationship management
- Incident management and response
- Business continuity management
- Regulatory compliance
GDPR -- EU General Data Protection Regulation#
cloak.business is fully compliant with the General Data Protection Regulation (EU) 2016/679. We act as a data processor under Article 28 and implement all required technical and organizational measures to protect personal data.
Key GDPR commitments:
- Lawful processing with clear legal basis for all data handling
- Data subject rights fully supported (access, rectification, erasure, portability, objection, restriction)
- Data Processing Agreements (DPAs) available for enterprise customers
- Breach notification procedures in place per Articles 33 and 34
- Data Protection Impact Assessment (DPIA) maintained and reviewed regularly
EU Data Residency#
All data processed by cloak.business is handled exclusively within Germany, European Union. Our infrastructure is hosted in an ISO 27001:2022 certified data center in Germany, ensuring:
- Full compliance with EU data residency requirements
- No data transfers outside the European Economic Area (EEA)
- Applicable protections under German federal data protection law (BDSG) in addition to GDPR
Privacy by Design (GDPR Article 25)#
cloak.business implements Privacy by Design and by Default as required by GDPR Article 25:
- No original text stored -- submitted text and images are processed entirely in memory and discarded after the response is returned
- No training on user data -- submitted content is never used to train or improve AI/ML models
- Minimal data collection -- only the information strictly necessary for account management is collected
- Purpose limitation -- data is processed solely for the purpose of PII detection and anonymization
- Client-side encryption -- AES-256-GCM encryption available for any optionally stored data
Regular Audits and Continuous Improvement#
We maintain a cycle of continuous security and compliance improvement:
- Annual ISMS reviews aligned with ISO 27001:2022 requirements
- Risk assessments conducted annually and after significant changes
- Security assessments performed regularly to identify and address vulnerabilities
- Policy reviews to ensure alignment with evolving regulations and best practices
- Incident response drills to validate our preparedness
Available Documentation#
The following compliance documentation is available upon request for enterprise and business customers:
| Document | Description |
|---|---|
| Data Processing Agreement (DPA) | Standard contractual terms for data processing under GDPR Article 28 |
| Information Security Policy | High-level ISMS policy aligned with ISO 27001:2022 |
| Access Control Policy | Controls governing access to systems and data |
| Incident Response Plan | Procedures for identifying, containing, and resolving security incidents |
| Risk Assessment Framework | Methodology for identifying and mitigating information security risks |
| Statement of Applicability (SoA) | ISO 27001 Annex A control implementation status |
| Data Protection Impact Assessment | GDPR Article 35 assessment of processing activities |
| Data Retention Policy | Retention periods and disposal procedures for all data categories |
Learn More#
- GDPR Compliance -- Detailed GDPR compliance information
- Security & Compliance -- Security posture and certifications
- Information Security Policy -- ISMS policy overview
- Access Control Policy -- Access management principles
- Incident Response Plan -- Incident handling procedures
- Risk Assessment Framework -- Risk management methodology
- Statement of Applicability -- ISO 27001 Annex A controls
Document maintained by cloak.business Contact: For compliance inquiries, use the contact form at cloak.business and select "Privacy Inquiries."