Compliance
Last updated: April 2026
SOC 2 Type II Compliant
Retriev is built with security and compliance at the core. We process payment data through Stripe and maintain industry-standard security practices.
GDPR Compliance
For customers in the European Economic Area, Retriev complies with the General Data Protection Regulation:
- Legal Basis — We process data under contract performance and legitimate interest
- Data Transfer — Standard Contractual Clauses for EU-US data transfer
- Data Subject Rights — Access, rectification, erasure, and portability available upon request
- Data Minimization — We collect only data necessary for service delivery
- Records of Processing — Maintained for all data processing activities
CCPA Compliance
For California residents, Retriev complies with the California Consumer Privacy Act:
- No Sale of Personal Information — We do not sell or share personal information
- Disclosure — You may request disclosure of collected information
- Deletion — You may request deletion of your information
- Opt-Out — We do not use personal information for cross-context behavioral advertising
SOC 2 Type II
Retriev undergoes annual SOC 2 Type II audits covering:
Security Controls
- Access control and authentication
- Encryption in transit and at rest
- Network security and monitoring
- Vulnerability management
- Incident response procedures
Data Residency
Customer data is processed and stored in:
- Primary — United States (Cloudflare infrastructure)
- Payment Data — Stripe (processes in US, stores globally per regulatory requirements)
For customers requiring EU data residency, contact us for enterprise options.
Security Practices
Infrastructure Security
- Hosting — Cloudflare with automatic DDoS protection
- Encryption — TLS 1.3 in transit, AES-256 at rest
- Authentication — Multi-factor authentication available
- Monitoring — Real-time security monitoring and alerting
Application Security
- Payment Processing — Stripe handles all payment card data
- No Card Storage — We do not store full card numbers or CVV codes
- Session Security — Secure, encrypted session tokens
- Regular Audits — Third-party security assessments
Subprocessor List
We use the following subprocessors to deliver our service:
- Stripe — Payment processing (US)
- Cloudflare — Application hosting and CDN (US)
Data Retention
- Active Accounts — Data retained for service duration
- Deleted Accounts — Data deleted within 30 days
- Payment Records — Retained 7 years per regulatory requirements
- Analytics — Aggregated data retained for service improvement
Contact
For compliance questions or to request a copy of our SOC 2 report:
Email: [email protected]