Regulatory Compliance

SOC-2, ISO27001, and EU transfers

Rian avatar
Written by Rian
Updated over a week ago

Zeplin maintains a comprehensive set of IT controls to ensure it meets various compliance obligations.

Zeplin aligns with the American Institute of CPAs (AICPA) industry-standard cybersecurity program SOC-2. Attestation for compliance with SOC-2's Trust Services Criteria controls for Security, Availability and Confidentiality (SOC-2 Type II) was most recently renewed for the period ending December 2023, and we are currently in a period of continuing compliance in preparation for our next annual SOC-2 Type II audit.

AICPA rules do not permit public dissemination of SOC-2 reports. Please ping us at to request a copy of our attestation under NDA.

Zeplin uses AWS for all compute and data hosting. Zeplin evaluates all our subprocessors, including AWS, to ensure they hold appropriate compliance certifications such as SOC-2 or ISO27001. AWS detail their compliance online.

Where required, the European Commission's Implementing Decision 2021/914 of 4 June 2021 on Standard Contractual Clauses will govern the the collection, use, and retention of Personal Information transferred from the European Union, UK and Switzerland to the United States.

You can read the Security Whitepaper, which describes our overall approach to Security, and the controls we have in place.

Did this answer your question?