Compliance
This page describes how Percus addresses regulatory requirements relevant to its clients and the current status of each compliance initiative.
Regulatory applicability
GDPR (European Union)
Applicability analysis and gap assessment currently in progress with external legal counsel. Percus's client base is primarily LATAM-based, but GDPR may apply depending on the data subjects involved. This section will be updated once the assessment is complete.
Ley 19.628 (Chile)
Chile's personal data protection law (Ley 19.628) is under review for applicability to Percus's operations and client contracts. The amended framework is also being tracked. This section will be updated once legal analysis is complete.
LGPD (Brazil)
Applicability to Brazilian clients and data subjects is under review. This section will be updated once the assessment is complete.
SOC 2
SOC 2 Type II certification is on the Percus roadmap. Scope definition and readiness assessment are under way. This section will be updated as the process advances.
Architecture decisions that support compliance
Regardless of the specific regulatory framework, several architectural decisions already align with common compliance requirements:
| Principle | How Percus addresses it |
|---|---|
| Data minimization | Percus does not store end-customer PII. Personalization data is processed client-side and never transmitted to Percus servers. |
| Access control | Role-based access with organization-level isolation. Users can only access data belonging to their organization. |
| Encryption | Data encrypted in transit (TLS 1.2+) and at rest (AES-256) across all storage layers. |
| Audit trail | All privileged actions are logged with user identity and timestamp. |
| Secrets management | No credentials hardcoded — all secrets stored in AWS Secrets Manager. |
| Consent management | The SmartEmbed SDK includes a planned consent management layer that gates tracking behind explicit user consent (see SDK documentation). |