Optivra

Back to Home

Compliance Certifications

Last Updated: January 2025

1. Overview

Optivra is committed to maintaining the highest standards of data protection, privacy, and security. This page provides detailed information about our compliance with international regulations and certification programs.

Our compliance framework ensures that we meet or exceed industry standards and regulatory requirements across all jurisdictions where we operate.

2. GDPR Compliance

2.1 General Data Protection Regulation (EU)

Status: Compliant

Optivra is fully compliant with the European Union's General Data Protection Regulation (GDPR), which came into effect on May 25, 2018.

2.2 Key GDPR Principles

Our platform and operations adhere to all GDPR principles:

  • Lawfulness, Fairness, and Transparency: All data processing is conducted lawfully with clear communication
  • Purpose Limitation: Data is collected only for specified, explicit, and legitimate purposes
  • Data Minimization: We collect only what is necessary; our platform does NOT collect personal data
  • Accuracy: Processes ensure data accuracy and enable corrections
  • Storage Limitation: Data retention policies with automatic deletion
  • Integrity and Confidentiality: Robust security measures protect all data
  • Accountability: Comprehensive documentation and compliance monitoring

2.3 Data Subject Rights

We provide mechanisms to exercise all GDPR rights:

  • Right to access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making

2.4 GDPR Compliance Measures

  • Data Protection Officer (DPO) appointed
  • Data Protection Impact Assessments (DPIA) conducted
  • Privacy by Design and by Default
  • Standard Contractual Clauses (SCCs) for data transfers
  • Records of Processing Activities (ROPA)
  • Breach notification procedures (24-hour commitment)

3. UK Data Protection

3.1 UK GDPR and DPA 2018

Status: Compliant

Following Brexit, we comply with the UK GDPR and Data Protection Act 2018, which largely mirror EU GDPR requirements with UK-specific adaptations.

3.2 ICO Registration

  • Registered with the UK Information Commissioner's Office (ICO)
  • Registration Number: [To be assigned]
  • Annual renewal and compliance reporting

4. Saudi Personal Data Protection Law (PDPL)

4.1 PDPL Compliance

Status: Compliant

The Saudi Personal Data Protection Law (PDPL) came into force in 2022. Optivra complies with all PDPL requirements for organizations processing personal data in Saudi Arabia.

4.2 Key PDPL Requirements

  • Lawful basis for processing personal data
  • Consent mechanisms for data collection
  • Data subject rights (access, correction, deletion)
  • Cross-border data transfer controls
  • Incident notification within 72 hours
  • Data Protection Officer designation
  • Privacy impact assessments

4.3 Saudi Arabia Operations

  • Local data residency options available
  • Arabic language support for privacy notices
  • Compliance with National Cybersecurity Authority (NCA) guidelines
  • Registered with Saudi Data and AI Authority (SDAIA)

5. ISO 27001 Certification

5.1 Information Security Management

Status: In Progress (Certification expected Q2 2025)

ISO/IEC 27001 is the international standard for information security management systems (ISMS). We are in the process of obtaining formal certification.

5.2 ISO 27001 Implementation

  • Information Security Management System (ISMS) established
  • Risk assessment and treatment processes
  • Security policies and procedures documented
  • Regular internal audits and reviews
  • Management commitment and oversight
  • Continuous improvement program

5.3 ISO 27001 Controls

We implement controls across all 14 domains:

  • Information security policies
  • Organization of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development, and maintenance
  • Supplier relationships
  • Information security incident management
  • Business continuity management
  • Compliance

6. SOC 2 Type II Certification

6.1 Service Organization Control

Status: In Progress (Audit expected Q2 2025)

SOC 2 Type II is a widely recognized auditing standard for service organizations. It evaluates our controls over an extended period (typically 6-12 months).

6.2 Trust Services Criteria

Our SOC 2 Type II audit covers:

  • Security: Protection against unauthorized access
  • Availability: System accessibility as agreed
  • Processing Integrity: Complete, accurate, and authorized processing
  • Confidentiality: Confidential information protection
  • Privacy: Personal information protection and management

6.3 Audit Process

  • Independent third-party auditor engaged
  • Readiness assessment completed
  • Control testing over 6-month observation period
  • Annual re-certification process
  • SOC 2 reports available to customers under NDA

7. Additional Compliance Frameworks

7.1 NIST Cybersecurity Framework

We align our security practices with the NIST Cybersecurity Framework:

  • Identify: Asset and risk management
  • Protect: Access control and data security
  • Detect: Monitoring and anomaly detection
  • Respond: Incident response and recovery
  • Recover: Business continuity and disaster recovery

7.2 PCI DSS Readiness

While we do not process payment card data directly, our infrastructure is aligned with PCI DSS principles for any future payment processing requirements.

7.3 OWASP Compliance

Our application security practices address the OWASP Top 10 security risks:

  • Injection prevention
  • Broken authentication protection
  • Sensitive data exposure mitigation
  • XML external entities (XXE) prevention
  • Access control enforcement
  • Security misconfiguration prevention
  • Cross-site scripting (XSS) protection
  • Insecure deserialization prevention
  • Vulnerable component management
  • Logging and monitoring implementation

8. Industry-Specific Compliance

8.1 Retail Industry Standards

We understand the unique compliance requirements of the retail sector:

  • No PII collection aligns with retail privacy concerns
  • CCTV alternative that maintains customer privacy
  • Compliance with retail-specific data protection guidelines
  • Support for retailer privacy policies and notices

8.2 Wi-Fi Sensing Regulations

Our technology complies with regulations governing wireless sensing:

  • FCC compliance for wireless devices (US)
  • CE marking for European markets
  • CITC compliance for Saudi Arabia
  • Ofcom regulations for UK

9. Third-Party Assessments

9.1 Security Audits

  • Annual independent security audits
  • Quarterly vulnerability assessments
  • Bi-annual penetration testing
  • Code security reviews by external experts

9.2 Audit Firms

We work with reputable audit firms including:

  • Big 4 accounting firms for compliance audits
  • Certified ethical hackers for penetration testing
  • Specialized security consultancies

10. Continuous Compliance Monitoring

10.1 Compliance Management

  • Dedicated compliance team and steering committee
  • Continuous control monitoring and testing
  • Automated compliance tracking systems
  • Regular compliance training for all staff
  • Compliance dashboards and reporting

10.2 Regulatory Monitoring

  • Tracking of regulatory changes and updates
  • Legal counsel for compliance interpretation
  • Participation in industry working groups
  • Regular gap analysis and remediation

11. Certification Timeline

CertificationStatusTimeline
GDPR✅ CompliantActive
UK GDPR / DPA 2018✅ CompliantActive
PDPL (Saudi Arabia)✅ CompliantActive
ISO 27001🔄 In ProgressQ2 2025
SOC 2 Type II🔄 In ProgressQ2 2025

12. Customer Support for Compliance

We support customers with their compliance needs:

  • Compliance documentation and questionnaires
  • Data Processing Agreements (DPAs)
  • Standard Contractual Clauses (SCCs)
  • Security attestations and certificates
  • Audit support and evidence provision
  • Custom compliance reporting

13. Requesting Compliance Documentation

Customers and prospects can request compliance documentation:

  • SOC 2 Reports: Available under NDA to qualified parties
  • ISO 27001 Certificate: Public once obtained
  • Security Questionnaires: Completed upon request
  • DPA Execution: Provided as part of onboarding
  • Privacy Documentation: Publicly available on website

Contact: compliance@optivra.io

14. Commitment to Compliance

Compliance is not a one-time achievement but an ongoing commitment. We:

  • Continuously monitor regulatory changes
  • Invest in compliance infrastructure and training
  • Maintain transparent communication with stakeholders
  • Pursue additional certifications as we grow
  • Collaborate with regulators and industry bodies
  • Hold ourselves to the highest standards

15. Contact Compliance Team

For compliance-related inquiries:

  • Compliance Team: compliance@optivra.io
  • Data Protection Officer: dpo@optivra.io
  • General Inquiries: info@optivra.io

Questions?

If you have any questions about this document, please contact us at info@optivra.io