Compliance

Enterprise Content

This section contains enterprise compliance information. Contact sales@watchlight.ai for compliance documentation and certifications.

Overview

Watchlight AI is committed to maintaining the highest standards of security and compliance. This document outlines our compliance certifications and data protection practices.

Certifications

SOC 2 Type II

Watchlight maintains SOC 2 Type II certification covering:

Security: Protection against unauthorized access
Availability: System availability for operation
Processing Integrity: Complete, valid, and timely processing
Confidentiality: Protection of confidential information

Audit Period: Annual Report Availability: Available under NDA

ISO 27001

Information Security Management System certification:

Risk management framework
Security controls implementation
Continuous improvement process
Regular internal and external audits

General Data Protection Regulation compliance:

Data Processing Agreements (DPA) available
EU data residency options
Right to erasure support
Data portability features
Privacy by design architecture

HIPAA

Health Insurance Portability and Accountability Act (Enterprise tier):

Business Associate Agreements (BAA) available
PHI handling procedures
Access controls and audit logging
Encryption requirements met

PCI DSS

Payment Card Industry Data Security Standard (where applicable):

Network security controls
Access control measures
Monitoring and testing
Information security policy

Data Protection

Encryption

Data State	Method
At Rest	AES-256
In Transit	TLS 1.3
Backups	AES-256 with separate keys

Data Residency

Available deployment regions:

US: US-East, US-West
EU: EU-West (Frankfurt), EU-North (Stockholm)
APAC: Asia-Pacific (Singapore, Sydney)

Data stays within the selected region unless explicitly configured otherwise.

Data Retention

Data Type	Default Retention	Configurable
Authorization logs	90 days	Yes
Audit logs	1 year	Yes
Policies	Indefinite	Yes
Metrics	30 days	Yes

Data Deletion

Self-service data export
Account deletion within 30 days
Backup purge within 90 days
Certificate of destruction available

Access Controls

Authentication

Multi-factor authentication (MFA) required
SSO integration (SAML 2.0, OIDC)
API key rotation policies
Session management

Authorization

Role-based access control (RBAC)
Principle of least privilege
Segregation of duties
Regular access reviews

Audit Logging

All actions are logged:

Authentication events
Authorization decisions
Policy changes
Administrative actions

Logs include:

Timestamp
User/principal identity
Action performed
Resource affected
Result (success/failure)
IP address and user agent

Infrastructure Security

Network Security

Virtual Private Cloud (VPC) isolation
Network segmentation
Web Application Firewall (WAF)
DDoS protection
Intrusion detection systems

Host Security

Hardened base images
Regular patching (< 24 hours for critical)
Endpoint detection and response
Container security scanning

Application Security

Secure development lifecycle (SDLC)
Static application security testing (SAST)
Dynamic application security testing (DAST)
Dependency vulnerability scanning
Regular penetration testing

Incident Response

Response Process

Detection: Automated monitoring and alerting
Triage: Severity assessment within 15 minutes
Containment: Immediate threat mitigation
Eradication: Root cause removal
Recovery: Service restoration
Post-Incident: Review and improvement

Notification

Severity	Customer Notification
Critical	Within 1 hour
High	Within 4 hours
Medium	Within 24 hours
Low	Monthly summary

Post-Incident Reports

Available for Critical and High severity incidents:

Timeline of events
Root cause analysis
Remediation actions
Prevention measures

Vendor Management

Third-Party Risk

Vendor security assessments
Contractual security requirements
Regular vendor reviews
Sub-processor list maintained

Current Sub-Processors

Vendor	Purpose	Location
AWS	Cloud infrastructure	US, EU
Cloudflare	CDN, DDoS protection	Global
Datadog	Monitoring	US

Full sub-processor list available upon request.

Compliance Documentation

Available Documents

Document	Availability
SOC 2 Report	Under NDA
ISO 27001 Certificate	Public
Security Whitepaper	Public
Data Processing Agreement	Enterprise
Business Associate Agreement	Enterprise
Penetration Test Summary	Under NDA

Requesting Documents

Contact compliance@watchlight.ai with:

Company name
Contact information
Documents requested
Purpose/use case

Security Contact

Reporting Vulnerabilities

Responsible disclosure program:

Email: security@watchlight.ai
PGP key available on website
Response within 24 hours
Recognition for valid reports

Compliance Questions

Email: compliance@watchlight.ai
Response within 48 hours

Continuous Compliance

Watchlight maintains continuous compliance through:

Automated compliance monitoring
Regular internal audits
Annual third-party audits
Continuous employee training
Policy reviews and updates

Next Steps

Deployment Guide - Secure deployment
SLA - Service commitments
Contact sales@watchlight.ai for enterprise licensing

Overview​

Certifications​

SOC 2 Type II​

ISO 27001​

GDPR​

HIPAA​

PCI DSS​

Data Protection​

Encryption​

Data Residency​

Data Retention​

Data Deletion​

Access Controls​

Authentication​

Authorization​

Audit Logging​

Infrastructure Security​

Network Security​

Host Security​

Application Security​

Incident Response​

Response Process​

Notification​

Post-Incident Reports​

Vendor Management​

Third-Party Risk​

Current Sub-Processors​

Compliance Documentation​

Available Documents​

Requesting Documents​

Security Contact​

Reporting Vulnerabilities​

Compliance Questions​

Continuous Compliance​

Next Steps​