Privacy Regulations
How we comply with data protection laws
California Residents
- ✓Right to Know: Request information about data collection
- ✓Right to Delete: Request deletion of personal data
- ✓Right to Opt-Out: We do not sell personal information
- ✓Non-Discrimination: No service degradation for exercising rights
EEA/UK Residents
- ✓Lawful Basis: Contract performance or legitimate interest
- ✓Data Subject Rights: Access, rectification, erasure, portability
- ✓DPO Available: dpo@obituarymonitor.com
- ✓SCCs: Standard Contractual Clauses for international transfers
Security Practices
How we protect your data
Important Note
ObituaryMonitor has not undergone a SOC 2 audit. The security certifications listed in the Infrastructure Partners section below are held by our vendors, not by ObituaryMonitor directly. We implement security controls aligned with industry best practices.
Encryption at Rest
AES-256 encryption for all stored data
Encryption in Transit
TLS 1.3 for all connections
Password Security
bcrypt hashing with high work factor
Access Control
Role-based permissions (RBAC)
Audit Logging
Comprehensive activity tracking
Session Security
HTTP-only cookies, auto-timeout
Infrastructure Partners
Third-party certifications (held by vendors)
| Vendor | Service | Certification | Notes |
|---|---|---|---|
| Netlify | Application Hosting | SOC 2 Type II | Edge hosting with automatic DDoS protection |
| Neon | Database | SOC 2 Type II | PostgreSQL with encryption at rest |
| Stripe | Payment Processing | PCI DSS Level 1 | We never store credit card data |
| Twilio | SMS Notifications | SOC 2 Type II | Secure message delivery |
| Postmark | Email Delivery | SOC 2 Type II | DKIM/SPF authenticated email |
* These certifications are held by the respective vendors, not by ObituaryMonitor.
Data Retention
How long we keep your data
| Data Type | Retention Period |
|---|---|
| Account Data | Active account + 30 days after deletion |
| Watch List Data | Active + 1 year archived |
| Match History | Subscription + 2 years |
| Audit Logs | 7 years (legal compliance) |
| Payment Records | 7 years (financial regulations) |
| Security Logs | 90 days |
Available Documentation
Request compliance documents for your review
Data Processing Agreement (DPA)
Standard contractual clauses for data processing. Required for GDPR compliance.
Request Document →Business Associate Agreement (BAA)
For HIPAA-covered entities handling protected health information.
Request Document →Security Whitepaper
Comprehensive overview of our security architecture and practices.
Download PDF →Subprocessor List
Complete list of third-party vendors who process customer data.
Request Document →Security Questionnaire
We can complete CAIQ, SIG, or custom security questionnaires.
Request Document →Need Compliance Documentation?
Our team is ready to help with DPAs, BAAs, security questionnaires, and any other compliance documentation your organization requires.