Platform
Platform OverviewEmail MarketingSMS MarketingWhatsAppPush NotificationsRCS MessagingAI CampaignsAnalyticsAutomationCustomer Data Platform
Solutions
SolopreneursGrowing TeamsEnterpriseE-CommerceSaaSConsumer AppsMarketplaces
More
PricingBlogLaunch PlaybookCompany
Get StartedLog in

Compliance

Last Updated: April 27, 2026

Our approach to compliance

We treat compliance as a transparency commitment, not a marketing one. This page tells you exactly where we are with each major framework — including the ones we're still working toward. We never claim certifications we don't hold.

For our security controls, see the Security Policy. For data protection rights and processing detail, see GDPR & Data Protection. For our broader trust posture and sub-processor list, see the Trust Center.

Current status

SOC 2 Type II

Status: In progress · Expected: Q2 2026

We are currently in our SOC 2 Type II observation window with an independent auditor. The Type II report is expected in Q2 2026. Until then, we share our detailed control summary under NDA with qualified Enterprise customers and prospects on request.

GDPR & UK GDPR

Status: Operational

We operate to GDPR and UK GDPR standards globally — we apply the strictest applicable privacy standard to every visitor and end user, regardless of location. A signed Data Processing Agreement is available on request to all customers. See GDPR & Data Protection.

CCPA / CPRA (California)

Status: Operational

California residents have data rights equivalent to those described in our GDPR page (access, deletion, opt-out of sale, non-discrimination). PolarGX does not sell personal information. To exercise rights, email privacy@polargx.com.

ISO/IEC 27001

Status: Planned

We plan to pursue ISO 27001 certification once SOC 2 Type II is complete. We will publish a target date here when we engage an auditor. Many of the underlying controls overlap with SOC 2 and are already in place.

HIPAA

Status: Not currently supported

PolarGX does not currently sign Business Associate Agreements (BAAs) and is not configured for the storage or transmission of Protected Health Information (PHI). Customers in regulated healthcare contexts should not send PHI through PolarGX. If HIPAA support is on your roadmap, contact us — interest informs prioritization.

Anti-spam compliance

Our customers use PolarGX to send messages to their end users. We require all customers to comply with the laws applicable to their sending — CAN-SPAM (US), CASL (Canada), GDPR consent (EU), PECR (UK), Spam Act (Australia), and equivalents. Specifically:

  • You must have a lawful basis to contact every recipient.
  • Every commercial email must include a working unsubscribe link.
  • You must honor unsubscribe requests within the legally required period.
  • You may not use PolarGX for purchased-list sending or pretexted recipients.
  • SMS sending must comply with TCPA (US) and equivalents — explicit prior consent.

Our Acceptable Use Policy sets these requirements in detail. Material violations are grounds for immediate account suspension.

Subprocessors

A current list of subprocessors used to deliver the Services — including their purpose, data categories, and location — is maintained on our Trust Center. We notify customers in advance of new or replaced subprocessors that handle customer data.

Security questionnaires & documentation

We maintain pre-completed responses to common vendor security questionnaires (CAIQ, SIG Lite, custom enterprise frameworks) and can typically return them within five business days under NDA. To request:

Email: security@polargx.com

Reporting concerns

If you believe a PolarGX customer is using the platform in a way that violates law or our policies — spam, fraud, harassment, or otherwise — please report it to abuse@polargx.com. We investigate every report.