Compliance

Last updated: May 2026

1. Our Compliance Approach

Sunnection is committed to maintaining the highest standards of compliance and regulatory adherence. We continuously work to ensure our platform meets or exceeds industry standards and legal requirements.

2. Certifications

SOC 2 Type II

Our platform has undergone independent audit and maintains SOC 2 Type II certification, demonstrating our commitment to security, availability, processing integrity, confidentiality, and privacy.

  • Security: Controls protecting against unauthorized access
  • Availability: Systems operational and meeting commitments
  • Processing Integrity: Data processed accurately and completely
  • Confidentiality: Confidential information protected
  • Privacy: Personal information handled appropriately

ISO 27001

We are pursuing ISO 27001 certification for our Information Security Management System (ISMS). Expected completion: Q4 2026.

3. Data Protection Compliance

GDPR

We are fully compliant with the General Data Protection Regulation (GDPR). Our compliance includes:

  • Lawful basis for all data processing
  • Data subject rights implementation
  • Data Protection Impact Assessments (DPIA)
  • Records of processing activities
  • Data Protection Officer appointed
  • Cross-border transfer safeguards

CCPA/CPRA

For California residents, we comply with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know, delete, and opt-out of sale.

4. Industry Standards

  • OWASP: Follows OWASP guidelines for application security
  • NIST: Aligns with NIST cybersecurity framework
  • Cloud Security: Follows cloud security best practices
  • Energy Sector: Adheres to relevant energy industry standards

5. Audit and Assessment

  • Annual third-party penetration testing
  • Quarterly vulnerability scanning
  • Continuous security monitoring
  • Regular internal audits
  • External audit for SOC 2 annually

6. Third-Party Vendors

We carefully manage our vendor relationships to ensure compliance:

  • Vendor security assessments before engagement
  • Data Processing Agreements (DPAs) required
  • Regular vendor compliance reviews
  • Vendor SOC 2 reports required where applicable

7. Incident Notification

In the event of a data breach or security incident affecting personal data:

  • Notification to supervisory authority within 72 hours
  • Affected individuals notified without undue delay
  • Incident documentation and remediation
  • Cooperation with regulatory authorities

8. Documentation

Available upon request for customers under NDA:

  • SOC 2 Type II Report
  • Penetration Test Summary
  • Security Whitepaper
  • Technical Architecture Documentation
  • Data Processing Agreement (DPA)
  • Subprocessor List

9. Contact

For compliance-related inquiries or to request documentation:

Email: [email protected]
Data Protection Officer: [email protected]