Compliance
Last updated: May 2026
1. Our Compliance Approach
Sunnection is committed to maintaining the highest standards of compliance and regulatory adherence. We continuously work to ensure our platform meets or exceeds industry standards and legal requirements.
2. Certifications
SOC 2 Type II
Our platform has undergone independent audit and maintains SOC 2 Type II certification, demonstrating our commitment to security, availability, processing integrity, confidentiality, and privacy.
- Security: Controls protecting against unauthorized access
- Availability: Systems operational and meeting commitments
- Processing Integrity: Data processed accurately and completely
- Confidentiality: Confidential information protected
- Privacy: Personal information handled appropriately
ISO 27001
We are pursuing ISO 27001 certification for our Information Security Management System (ISMS). Expected completion: Q4 2026.
3. Data Protection Compliance
GDPR
We are fully compliant with the General Data Protection Regulation (GDPR). Our compliance includes:
- Lawful basis for all data processing
- Data subject rights implementation
- Data Protection Impact Assessments (DPIA)
- Records of processing activities
- Data Protection Officer appointed
- Cross-border transfer safeguards
CCPA/CPRA
For California residents, we comply with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know, delete, and opt-out of sale.
4. Industry Standards
- OWASP: Follows OWASP guidelines for application security
- NIST: Aligns with NIST cybersecurity framework
- Cloud Security: Follows cloud security best practices
- Energy Sector: Adheres to relevant energy industry standards
5. Audit and Assessment
- Annual third-party penetration testing
- Quarterly vulnerability scanning
- Continuous security monitoring
- Regular internal audits
- External audit for SOC 2 annually
6. Third-Party Vendors
We carefully manage our vendor relationships to ensure compliance:
- Vendor security assessments before engagement
- Data Processing Agreements (DPAs) required
- Regular vendor compliance reviews
- Vendor SOC 2 reports required where applicable
7. Incident Notification
In the event of a data breach or security incident affecting personal data:
- Notification to supervisory authority within 72 hours
- Affected individuals notified without undue delay
- Incident documentation and remediation
- Cooperation with regulatory authorities
8. Documentation
Available upon request for customers under NDA:
- SOC 2 Type II Report
- Penetration Test Summary
- Security Whitepaper
- Technical Architecture Documentation
- Data Processing Agreement (DPA)
- Subprocessor List
9. Contact
For compliance-related inquiries or to request documentation:
Email: [email protected]
Data Protection Officer: [email protected]