Compliance

Our posture on privacy, security, data handling, and regulatory obligations.

Last updated: April 2026

Specific compliance commitments — including certifications, audit reports, regulatory approvals, and contractual data processing arrangements — depend on the final production configuration and must be confirmed through executed agreements before being relied upon.

Our compliance philosophy

We believe credible compliance starts with honesty about what is and is not in place. We do not claim certifications we have not earned, framework compliance we have not verified, or contractual arrangements that do not exist. As CAPA Resolve matures, we will document and evidence our compliance position accurately and update this page accordingly.

Our approach is built around three commitments: accuracy about our current position, building systems that are designed to be compliant from the outset rather than retrofitted, and genuine responsiveness to the compliance needs of the people and organisations who use or evaluate CAPA.

Privacy

We take applicable data protection and privacy law seriously and process personal data only for specified, legitimate purposes. Our Privacy Policy describes how personal information is collected, used, and protected. We do not sell personal data or use it for purposes beyond those disclosed.

We support individuals' rights to access, correct, restrict, and delete their personal data. See the Data Requests page for how to exercise these rights.

Security posture

CAPA Resolve's security approach is described in detail on the Security page. In summary: we apply least-privilege access, auditability, encrypted data transmission, and ongoing review. We do not currently hold formal security certifications (such as SOC 2 or ISO 27001) and will update this page when that position changes.

Data handling

We handle data on behalf of users only to the extent necessary to provide the services they request. We maintain clear records of processing activities. Third-party providers who access data on our behalf are engaged under appropriate data handling commitments. See the Subprocessors page for information on our use of third-party providers.

Healthcare and sensitive data

For healthcare-adjacent use cases and questions about HIPAA or Business Associate Agreements, see the dedicated HIPAA page. Arrangements involving the processing of sensitive or regulated data require specific written agreements before proceeding.

Publicly available documents

The following documents govern use of CAPA Resolve's website and services and are publicly available:

Data Processing Agreements (DPAs), Business Associate Agreements (BAAs), and other enterprise compliance arrangements are available on request and subject to review and execution for specific use cases. Contact legal@caparesolve.com to discuss.

Regulatory frameworks

CAPA Resolve takes applicable legal obligations seriously across the jurisdictions in which it operates. As the platform grows, additional regulatory frameworks may apply depending on the locations of users and the nature of services provided. We will update this page and our policies as new obligations are identified and addressed.

If your organisation requires confirmation of compliance with a specific regulatory framework before using CAPA, please contact us before proceeding. Do not assume compliance exists without confirming it with our team.

Contact

For compliance enquiries: legal@caparesolve.com
For privacy matters: privacy@caparesolve.com