We prove our compliance, too.

Govern, identify, protect, detect, respond, recover across our own systems.

Our internal program is structured on CSF 2.0 — the same spine we assess you against.

Lawful processing, data-subject rights, security of processing (Art. 32), 72-hour breach notice.

Data minimization, encryption, access controls, export/erasure, and a breach process are in place. DPA available.

Administrative, physical, and technical safeguards for ePHI; BAAs.

Encryption, access control, audit controls, and a Business Associate Agreement are available for healthcare customers.

Independent attestation of trust-services controls.

We run continuous self-assessment today; an external Type II audit is on the roadmap.

A certified Information Security Management System.

Our ISMS follows 27001; accredited certification is on the roadmap.

Protect student education records; reasonable safeguards; disclosure limits.

For education customers: data is minimized, encrypted, access-controlled, and never used beyond providing the service.

Protect cardholder data.

Sightline never stores cardholder data — payments run through a PCI-certified processor. We never touch card numbers.

Protect FCI/CUI for defense work.

Relevant only for defense customers; we do not claim CMMC certification today.

Firewalls, secure config, patching, access control, malware protection.

These five controls are in place across our systems.

Eight mitigation strategies (MFA, patching, backups, least privilege).

MFA, patching, least-privilege admin, and regular backups are enforced.

Risk management and incident reporting for in-scope entities.

Risk management, supply-chain diligence, and incident handling are in place.

Lawful processing of digital personal data; security safeguards; breach notice.

Consent/notice handling, security safeguards, and a breach process for data principals in India.

Seven personal-data principles incl. security and retention.

Security, retention, and access principles are implemented for Malaysian data.