Frameworks
The platform operates under SOC 2 Type II controls (annually audited). Customer-side compliance with GDPR, CCPA/CPRA, TCPA, and state-level privacy regulations is supported by record-level consent provenance, opt-out propagation, and audit-log export. Healthcare workloads are non-PHI by default; PHI integrations are handled under BAA inside customer infrastructure.
Consent provenance
Every record in the platform carries verifiable consent provenance: source, timestamp, scope, and revocation status. Records without verifiable consent are excluded from outputs. Customer audit access lets you inspect provenance per record at any time.
Hashed-first identity
The identity graph is constructed and operated on hashed identifiers. Raw PII is not stored, not indexed, and not transacted on. This is an architectural property — it cannot be turned off by a customer or accidentally bypassed by a feature flag.
Right to erasure
GDPR Article 17 and CCPA/CPRA equivalents are supported at the entity level. A verified erasure request removes the entity, derived signals, and downstream cached audiences within the contractual SLA window. Erasure events are themselves logged for audit purposes; the log records that the entity existed and was erased, but not what was known about it.
Adversarial signal integrity
Compliance also means defending the data itself. The platform runs continuous adversarial monitoring of incoming signal streams: bot detection, source diversification (no single supplier exceeds a capped share of any signal class), and behavioral panel calibration. A quarterly signal-integrity report is published to enterprise customers.
Signal half-life — production model
Predictive cohort vs. cold list
Citations
- · EU Regulation 2016/679 (GDPR), Articles 17, 22, 25.
- · California Privacy Rights Act (CPRA), Sections 1798.105, 1798.140.
- · Telephone Consumer Protection Act, 47 U.S.C. § 227.
- · AICPA — SOC 2 Trust Services Criteria, 2017.