Compliance

How CAIRL is designed to meet regulatory requirements across jurisdictions

CAIRL is built as identity infrastructure, not a data aggregator. Our architecture is designed around data minimization, strong encryption, and clear separation between identity verification and partner platforms.

We do not expose raw personal data to partners. Instead, we return verified claims (e.g., "age_verified: true"), reducing downstream data handling obligations.

• Encryption in transit and at rest — All data is encrypted using industry-standard protocols (TLS 1.3 in transit, AES-256 at rest)
• Access controls — Strict role-based access and least-privilege policies across systems
• Audit logging — All verification events and sensitive actions are logged and auditable
• Infrastructure — Built on AWS services designed for high-security workloads

Status: In progress

CAIRL is preparing for SOC 2 Type I evaluation. Our controls are designed to align with the Trust Services Criteria, including access control, system monitoring, data protection, and incident response.

This page will be updated as formal audits are completed.

CAIRL is designed to support GDPR principles:

• Data minimization — Partners receive verified claims, not raw personal data
• Purpose limitation — Data is used only for identity verification and related security functions
• User rights — Users may request access, correction, deletion, and portability of their data
• Processor model — CAIRL operates as a data processor for partner verification flows

• No sale of personal information
• Support for access and deletion requests
• Clear disclosure of data collection and usage practices

CAIRL uses AWS services that are eligible for HIPAA workloads and is designed to support Business Associate Agreement (BAA) environments: encrypted document storage, access controls and audit logging, and segregated storage architecture.

CAIRL does not represent itself as HIPAA certified. Responsibility for HIPAA compliance depends on the specific implementation by each business user.

CAIRL's biometric practices are designed to align with applicable U.S. biometric privacy laws, including Illinois BIPA, Texas CUBI, and Washington's biometric privacy law.

Biometric data is not used to track your behavior across unrelated services.

See the Biometric Data Policy for full details on collection, use, and retention.

CAIRL is designed to support platforms implementing age and identity verification requirements. This includes emerging age and identity verification requirements such as U.S. state-level age verification laws, the UK Online Safety Act, and similar regulatory frameworks.

Because regulatory requirements vary by jurisdiction and evolve over time, businesses are responsible for determining how to apply CAIRL within their own compliance programs.

CAIRL does not claim certifications or approvals that have not yet been formally obtained. This page reflects current design posture and will be updated as audits and certifications are completed.

privacy@cairl.app