Compliance & security

• TLS 1.2+ for all data in transit; HSTS enforced on dashboards.
• Modern encryption at rest (e.g., AES-256), with key rotation and restricted KMS access.

• Sensitive payment data is tokenized; we avoid storing raw card data.
• Data retention follows contractual and legal requirements, with secure deletion workflows.

• SSO/MFA required for staff. Role-based access control and least privilege.
• Access logs are retained and reviewed; changes require peer review.

We follow PCI DSS best practices and work with audited partners for card processing and tokenization. Attestations and scope details are available under NDA.

Data subject rights supported on request. A Data Processing Addendum (DPA) is available for customers processing personal data.

We align to SOC 2 controls for security, availability, and confidentiality. Formal reporting is available from certain partners.

We maintain a list of critical vendors (e.g., cloud hosting, email delivery, analytics). Subprocessor list available on request with notification of changes.

• 24/7 monitoring and alerting; on-call response rotation.
• Severity-based SLAs with triage, containment, and remediation steps.
• Customer notifications according to legal and contractual obligations.

If you believe you’ve found a security vulnerability, please email security@uniquitysolutions.com with details and steps to reproduce.