Compliance and Privacy
Privacy controls that keep your commerce operation protected
GDPR, CCPA, PCI DSS, and SOC 2 built into every module. One data subject request deletes customer data across commerce, PIM, OMS, CMS, and forms in a single action.
SOC 2
Type IIGDPR
and CCPAPCI
DSS
0+
Stores protected0Frameworks enforced
0Action clears data across all
modules
0.9%
Uptime SLAWhat this module does
One compliance engine across every platform module
Most platforms treat compliance as an add-on. Redefine builds it into the core so every module, from your storefront to your PIM to your order management, operates inside a shared compliance boundary.
When a customer submits a GDPR data subject access or deletion request, one action finds and removes that customer's data across commerce, PIM, OMS, CMS, and forms. No manual coordination. No risk of partial deletion.
Key capabilities
Every compliance requirement covered out of the box
GDPR
Data subject rights management
Handle access, deletion, and export requests across all platform modules in a single workflow. One request, one action, complete data coverage.
CCPA
Regional privacy law compliance
CCPA, PIPEDA, LGPD, and other regional privacy frameworks enforced by jurisdiction. Your platform stays compliant wherever your customers are.
Consent
Cookie consent management
Integrated consent management that respects user preferences across sessions. Consent records are stored, auditable, and exportable on request.
PCI DSS
PCI DSS payment compliance
Payment processing built to PCI DSS standards. Card data never touches your servers. Tokenization, vaulting, and secure checkout flows are enforced at the platform level.
SOC 2
SOC 2 Type II certification
Independently audited security, availability, and confidentiality controls. Full SOC 2 Type II report available to enterprise buyers under NDA during evaluation.
Data Residency
Data residency and regional storage
Store customer and order data in the region your regulations require. Choose storage location per tenant and receive a data map documenting where each data class lives.
Who this is built for
Compliance controls for every team in your organization
Legal and DPO
Your data subject requests are handled automatically. GDPR deletion finds and removes customer data across every module in one action. Consent records are stored, timestamped, and exportable. You get a complete data map showing what data lives where before your next audit.
- Automated data subject request handling across all modules
- Exportable consent records with timestamps and user identifiers
- Data residency documentation for every data class
- SOC 2 Type II report available under NDA
Open DSRs3 pending
DSR-2024-0041
Deletion request • GDPR Article 17
DSR-2024-0042
Access request • GDPR Article 15
DSR-2024-0043
Export request • CCPA 1798.100
Modules covered by last deletion: Commerce, PIM,
OMS, CMS, Forms
Engineering Lead
Compliance logic ships with the platform, not as a bolt-on. Data encryption at rest and in transit uses TLS 1.2 or higher. Security Information and Event Management integration is available via event log export. No custom compliance middleware to maintain.
- TLS 1.2 or higher encryption at rest and in transit
- Event log export for Security Information and Event Management integration
- Penetration testing and regular security audits
- Automated backups and documented disaster recovery SLA
TLS 1.3
Encryption in transit
AES-256
Encryption at rest
Last
pen testPassed • Q1 2024
Last
backup2 hours ago
Security Information and Event Management exportActive
Uptime (30d)99.97%
Ecommerce Director
Compliance runs in the background so your team focuses on revenue. Cookie consent banners are managed automatically. PCI DSS means payment security is not your team's problem to solve. Your checkout is compliant before you launch.
- PCI DSS compliant checkout out of the box
- Cookie consent managed at the platform level
- Regional pricing and privacy enforcement per storefront
- No compliance outages or fines from missed regulation changes
Checkout PCI DSSCompliant
Cookie consent (EU)Active
CCPA opt-out (CA)Active
Marketing consentAuditable
Enterprise IT
One SOC 2 Type II report covers the entire platform. Data residency is configurable per region. Security Information and Event Management integration, IP allowlisting, and user session tracking give your security team the visibility they need without custom middleware.
- Configurable data residency per region or tenant
- IP allowlisting and geo-restriction controls
- User session tracking and login history auditable on demand
- SOC 2 Type II report under NDA for enterprise evaluation
EU tenant data
Customer PII, order history
US tenant data
Commerce, PIM, OMS
IP allowlist
Admin access restricted
How it works
From regulation change to enforced compliance in four steps
1
Regulation mapped
Your applicable regulations (GDPR, CCPA, PCI DSS) are identified by region and business type during onboarding. Controls are mapped to each requirement automatically.
2
Controls enforced
Platform-level enforcement means controls are not optional. Consent capture, data encryption, and access rules operate whether or not your team remembers to check them.
3
Requests handled
Data subject access and deletion requests trigger a cross-module workflow. Commerce, PIM, OMS, CMS, and forms are checked and acted on within your required response window.
4
Audit ready
Every action is logged with a timestamp, user ID, and affected record. Your compliance team can produce a full data trail on demand without involving engineering.
Proof
Security and compliance strengthened in production
Client
Saratoga Hospital
Healthcare
A regional hospital requiring a centralized, secure, and regulation-compliant content management system for clinical and operational web properties.
Problem
Fragmented content
workflows posed compliance and performance risks under healthcare security standards. Manual processes
created audit gaps and regulatory exposure.
Solution
A custom content management
system built to OWASP Application Security Verification Standard security standards with robust
compliance enforcement, optimized database queries, and centralized control across multiple website
properties.
Result
0
% compliance with healthcare regulations
Security posture strengthened, audit gaps eliminated, and staff able to manage multiple properties through one compliant interface.
Why Redefine
Other platforms split compliance across products. Redefine does not.
When compliance controls are scattered across separate modules with separate audit logs, a single data subject request becomes a multi-team coordination project. Redefine enforces one compliance boundary across every module.
| Capability | Typical platform | Redefine |
|---|---|---|
| General Data Protection Regulation data subject request scope | Commerce module only | Commerce, PIM, OMS, CMS, Forms |
| Compliance audit trail | Per-module, not unified | One audit log across all modules |
| Data residency configuration | Vendor-controlled, not configurable | Per-region, per-tenant configuration |
| SOC 2 certification scope | Partial or SOC 2 Type I only | Full SOC 2 Type II across platform |
| Cookie consent management | Third-party add-on required | Native, auditable, no add-on |
| PCI DSS checkout compliance | Self-certification required by merchant | Platform-level enforcement, no self-assessment
questionnaire burden |
Compliance architecture
One compliance boundary across every module
Most platforms enforce compliance independently per module. When a data subject request arrives, your team must query commerce, PIM, OMS, CMS, and form databases separately and coordinate deletion manually. Redefine's compliance engine sits above every module so one request triggers one cross-platform action.
- Unified policy engineSingle compliance policy governs publish gates across CMS content, PIM products, marketplace listings, and forms
- 72-hour General Data Protection Regulation response windowAutomated queue management ensures your team never misses a response deadline. Escalation triggers when the service-level agreement is at risk.
- Encryption at every layerTLS 1.2 or higher in transit. AES-256 at rest. Key management separated from data storage. No plaintext customer data in logs.
Cross-Module Compliance Engine
Compliance Policy Engine
Commerce
PIM
OMS
CMS
Forms
Data subject request deletionPropagating...
Consent stateSynced
PCI DSS scopeEnforced
Encryption layerActive (TLS 1.3)
Best-fit use cases
Who gets the most from this module
Enterprise retail
Multi-region retailers
Selling across Europe, the United States, and Asia Pacific means different regulations per storefront. Redefine enforces region-specific privacy rules at the platform level so your team does not manage compliance country by country.
Business-to-business platforms
Business-to-business commerce with enterprise buyers
Enterprise buyers now require SOC 2 and General Data Protection Regulation documentation as part of vendor evaluation. Redefine produces these during procurement so you don't lose deals to compliance gaps.
Regulated industries
Healthcare and financial services
Organizations in regulated sectors need compliance documentation, audit-ready data trails, and enforced access controls. Redefine ships these by default, not as custom implementations.
Cross-border commerce
Brands expanding internationally
Entering a new market means new data laws. Data residency controls, regional consent banners, and jurisdiction-specific processing rules activate at launch, not months later after a compliance review.
Platform migration
Migrating from non-compliant platforms
If your current platform cannot produce a data subject deletion across all modules, you carry regulatory risk every day. Migration to Redefine resolves that gap with a compliance-first architecture from day one.
Audit preparation
Teams preparing for external audits
External compliance or security audits require traceable, exportable evidence. Redefine's audit log exports, consent records, and data maps give your team audit-ready documentation without a manual collection project.
Related modules and integrations
Compliance connects to the rest of your governance stack
Module
Access and Permissions Management
Role-based access control and attribute-level permissions that enforce who can see, edit, or export data. Compliance starts with access control.
Module
Identity and Security
Single Sign-On, Multi-Factor Authentication, SCIM, and anomaly detection. The identity layer that underpins every compliance control in this module.
Module
Audit and Traceability
Full audit log of every user action and data change, with before and after values. Security Information and Event Management export for integration with your security operations center.
Module
Governance Controls
Publishing approval gates, mandatory field enforcement, and separation of duties that keep non-compliant content from going live.
Module
Accessibility Compliance
WCAG 2.1 AA storefront and admin compliance, accessibility audit tools, and Americans with Disabilities Act coverage that runs parallel to your privacy controls.
Integration
Single Sign-On and SAML Integrations
SAML 2.0 and OAuth 2.0 connections to your identity provider. One login, scoped access, no shadow accounts across modules.
Common questions
Compliance and privacy questions answered
One data subject deletion request triggers a cross-platform action that locates and removes the customer's data across commerce, PIM, OMS, CMS, and forms in a single workflow. Your team does not need to coordinate deletion across separate systems. The action is logged, timestamped, and exportable for regulatory proof.
The platform ships with controls for General Data Protection Regulation, California Consumer Privacy Act, PIPEDA, LGPD, PCI DSS, and SOC 2 Type II. Cookie consent, data residency, data subject request management, and access controls are all enforced at the platform level. You receive documentation and configuration for your applicable frameworks during onboarding.
Yes. The full SOC 2 Type II audit report is available to enterprise buyers under a standard NDA during the evaluation process. Your security team can review the controls, evidence, and any exceptions before signing a contract. Request it through your evaluation contact or via the intake form on this page.
Consent management is integrated at the platform level. Consent events are captured, timestamped, and stored against the user identifier. When a data subject requests their consent record, it is exportable as a structured file. Consent preferences are respected across sessions and synchronized with your marketing tools so opt-out signals do not leak into email or retargeting.
Data residency is configurable per tenant and per data class. You can specify that EU customer data stays in EU-WEST regions while US data stays in US-EAST regions. A data map documenting where each class of data lives is provided during onboarding and updated whenever your configuration changes.
Is this right for you?
A good fit and a not-fit
Good fit
- You operate in the EU, UK, California, or another jurisdiction with active privacy regulation
- Your enterprise buyers ask for SOC 2 or General Data Protection Regulation documentation during procurement
- Your current platform cannot process a data subject deletion across all your data systems in one action
- You are expanding internationally and need per-region data residency before you launch
Not a fit
- You are a single-market US startup with no regulatory exposure and no plans to expand internationally in the next 12 months
- You need a standalone consent management tool rather than platform-integrated compliance controls
- Your compliance requirements are handled entirely by a third-party compliance tool that is already integrated into your stack
Not sure? Tell us your situation and we'll be straight with you.
Get started
Review your compliance posture with Redefine
No commitment. No pitch. Submit your brief and we will review your current platform's compliance gaps and send a scoped proposal within 3 business days.
Your team's time commitment is typically 2 to 3 hours per week for review and sign-off. We handle all compliance mapping, enforcement configuration, and documentation.
Submit your compliance brief
Form
Call within 48 hours → proposal in 3 days → Sprint 1 within 1 week of sign-off
Brief received
We'll review your compliance situation and send a scoped proposal within 3 business days. Expect a call within 48 hours to confirm your requirements.
Call within 48 hours
Proposal in 3 days
SOC 2 available under NDA
200+ stores protected
Privacy by platform
Stop managing compliance across disconnected systems
One platform. One compliance engine. One data subject request that works across every module. No commitment. No pitch.
GDPREnforced
Data subject rights
Cross-module deletion in one
action
CCPAEnforced
Regional privacy
Opt-out and data portability
PCIActive
Payment security
Tokenization, no card data
stored
SOCCertified
SOC 2 Type II
Full report available under
NDA