Compliance

Compliant by architecture.
Not by retrofit.

Every major privacy regulation converges on the same requirement: explicit, revocable, per-purpose consent with strong data security. Avallis was built to that standard. This page explains how each framework maps to the platform — for consumers and for businesses that integrate Avallis.

GDPR

Compliant

General Data Protection Regulation

European Union / EEA

The GDPR requires that personal data be processed lawfully, transparently, and only for specified purposes. Consent must be freely given, specific, informed, and revocable at any time. Organizations must demonstrate compliance and maintain records of processing activities.

For consumers — what Avallis means for you

Right to access

Your vault dashboard shows every field stored, every business that has accessed it, and every approval ever granted — permanently logged and user-visible.

Right to erasure

Permanent vault deletion removes all encrypted records from Avallis infrastructure. A cryptographic deletion certificate is issued on request. The blockchain hash remains as proof the data once existed, but contains no personal data.

Consent freely given and revocable

Every data request requires explicit, per-purpose approval. Revocation is one tap and takes effect immediately — the business receives a webhook notification and their consent token is invalidated.

Data minimization

Businesses receive only the specific fields you approve for the duration you set. No bulk data transfers, no indefinite retention.

Consent records

Every approval is timestamped and anchored on a public blockchain — an immutable, independently verifiable proof of consent that satisfies GDPR Article 7(1) recordkeeping requirements.

For businesses — what Avallis does for your compliance

Lawful basis for processing

Avallis provides a structured consent mechanism that satisfies GDPR Article 6(1)(a). The blockchain-anchored timestamp is your proof of lawful basis.

Purpose limitation

Data requests are purpose-specific. The consumer approves for a named use case. Your system receives only what was consented to — no scope creep is architecturally possible.

Data processor obligations

Avallis acts as a data processor on your behalf. We provide a Data Processing Agreement (DPA) and do not sub-process personal data for our own purposes.

Breach notification

Because Avallis stores only ciphertext, a breach of our infrastructure exposes no plaintext personal data. Your GDPR breach notification obligations are structurally reduced.

CCPA / CPRA

Compliant

California Consumer Privacy Act / California Privacy Rights Act

California, USA

The CCPA (amended by CPRA) gives California consumers the right to know what personal information is collected, to delete it, to opt out of its sale or sharing, and to correct inaccurate information. The CPRA added a right to limit use of sensitive personal information.

For consumers — what Avallis means for you

Right to know

Your vault shows exactly what data is stored and who has accessed it. No opaque data handling — the audit trail is yours to inspect at any time.

Right to delete

Vault deletion is permanent and complete. Avallis has no backup copies of your plaintext data that could survive a deletion request.

Right to opt out of sale

Avallis has no mechanism to sell personal data. The architecture makes this impossible — we hold only ciphertext we cannot read.

Right to limit sensitive personal information

CPRA's sensitive data category (SSN, financial account numbers, health data) maps exactly to Avallis vault categories. You control which categories are active and who can request them.

Right to correct

You can update any vault field at any time. Each update re-encrypts and re-anchors a new blockchain fingerprint.

For businesses — what Avallis does for your compliance

Service provider vs. third party

Avallis qualifies as a service provider under CCPA — we process personal data solely to provide the Avallis service and do not retain, use, or disclose it for other purposes.

No sale or sharing of consumer data

The consent mechanism prevents data from being shared with parties the consumer has not approved. Your system cannot receive data outside the approved scope.

Consumer request handling

When a consumer deletes their vault, all data shared with your business via Avallis is covered. Your CCPA deletion obligation is satisfied upstream.

Sensitive data protections

Any access to sensitive vault categories (health, financial, government ID) requires an explicit, separate consent approval — matching CPRA's heightened protection requirements.

CPRA

Compliant

California Privacy Rights Act

California, USA

CPRA significantly amended CCPA, adding a new category of sensitive personal information requiring heightened protections, expanding opt-out rights to include data sharing (not just sale), and establishing the California Privacy Protection Agency (CPPA) as an independent enforcement body.

For consumers — what Avallis means for you

Sensitive personal information limits

Sensitive vault categories (Identity, Financial, Health) require explicit per-request consent and can be independently disabled. No business can access your SSN, financial accounts, or health data without a specific approval.

Right to correct

Any field can be updated directly in your vault. Updated data is re-encrypted and re-anchored on the blockchain — maintaining integrity proof through every revision.

Expanded right to opt out

Avallis cannot share your data for cross-context behavioral advertising at any layer — there is no advertising infrastructure in the platform.

Automated decision-making

No automated profiling of consumer data occurs within Avallis. Sentinel Intelligence evaluates business access behavior, not consumer profiles.

For businesses — what Avallis does for your compliance

Sensitive data business rules

Access to sensitive vault categories is gated by explicit consumer consent per request. Your integration is structurally incapable of accessing sensitive data without approval.

CPPA enforcement readiness

Every data access event is timestamped and logged. If the CPPA requests evidence of compliant data handling, Avallis provides an immutable audit trail.

Contractor obligations

Avallis contracts include CPRA-compliant data protection terms covering purpose limitation, data security, and consumer rights support.

HIPAA

Architecture ready

Health Insurance Portability and Accountability Act

Federal, USA (Healthcare)

HIPAA's Privacy and Security Rules govern how Protected Health Information (PHI) is handled by covered entities and their business associates. The rules require administrative, physical, and technical safeguards for electronic PHI, strict access controls, and audit controls.

For consumers — what Avallis means for you

PHI encryption

Health vault data is encrypted with industry-standard encryption in your browser before it reaches Avallis servers. We never hold plaintext health information — only the encrypted blob.

Minimum necessary standard

When you approve a health data request, you approve specific fields only. An insurer asking for coverage type cannot see your diagnosis history — the architecture enforces field-level granularity.

Access controls

Health data access requires your explicit approval per request. No standing access, no bulk downloads, no indefinite retention by the receiving party.

Audit controls

Every health data access event is logged with timestamp, requesting entity, approved fields, and expiration. The audit trail is user-visible and tamper-evident.

For businesses — what Avallis does for your compliance

Business Associate Agreement (BAA)

Avallis provides a BAA for covered entities and their business associates. Contact us to establish the agreement before processing any PHI through the platform.

Technical safeguards

Encryption in transit (encryption in transit), encryption at rest (industry-standard encryption), end-to-end encrypted webhook delivery, and blockchain-anchored integrity checks satisfy HIPAA's technical safeguard requirements.

Minimum necessary access

Your data requests specify exactly which health fields are needed. The consumer approves or denies at that level of specificity — you cannot receive more than was consented to.

Workforce access controls

Avallis infrastructure staff cannot read vault data. Zero-knowledge architecture means PHI is not accessible to anyone at Avallis, eliminating insider threat exposure.

HIPAA certification requires a formal BAA. Contact enterprise@avallis.io to establish one before processing PHI.

PCI DSS

Reduces scope

Payment Card Industry Data Security Standard

Global (Card Networks)

PCI DSS governs how cardholder data is stored, processed, and transmitted. The most effective compliance strategy is scope reduction — not storing cardholder data eliminates the majority of PCI requirements. Avallis does not store or process payment card data, but its architecture directly reduces the scope of PCI compliance for businesses that use it.

For consumers — what Avallis means for you

Cardholder data protection

Avallis does not store payment card numbers. Financial vault fields cover income, bank accounts, and credit scores — not raw card data. Your payment transactions run through PCI-certified processors (Stripe).

Identity verification for payment

Avallis can supply verified identity credentials to satisfy KYC requirements upstream of a payment — reducing fraud risk without touching card data.

For businesses — what Avallis does for your compliance

Scope reduction

If your Avallis integration replaces the collection of cardholder data with consent-based identity verification, your PCI scope decreases. Fewer systems that touch card data means fewer systems that must be PCI-compliant.

Verified identity before payment

Using Avallis vault-verify to confirm customer identity before initiating a transaction reduces chargebacks and fraud — without storing card data in your own systems.

Access controls for financial data

Financial vault data requires explicit consumer consent per access. No standing access to income or bank data is possible — reducing the attack surface for financial data exposure.

DPDP

Aligned

Digital Personal Data Protection Act

India

India's DPDP Act (2023) establishes rights for data principals (individuals) including right to access, correction, erasure, and grievance redressal. Data fiduciaries (organizations processing data) must obtain specific consent before processing personal data and implement reasonable security safeguards.

For consumers — what Avallis means for you

Informed and specific consent

Every Avallis data request requires you to see exactly what is being requested, for what stated purpose, and for how long. You consent to specific fields for specific purposes — matching DPDP's requirement for granular, informed consent.

Right to access

Your vault dashboard provides a complete view of stored data, every access event, and every consent granted — satisfying DPDP's right of data principals to access their information.

Right to erasure

Vault deletion permanently removes all personal data from Avallis systems. The right to erasure under DPDP is exercisable at any time without restriction.

Right to grievance redressal

Contact support@avallis.io for any data handling concern. Responses are provided within the DPDP's prescribed timeframe.

For businesses — what Avallis does for your compliance

Consent management obligations

Avallis provides the consent collection, storage, and revocation infrastructure required of data fiduciaries under DPDP. Every consent is timestamped, purpose-specific, and revocable.

Purpose limitation

Data received via Avallis is scoped to the purpose stated in the consent request. Processing for other purposes is not architecturally possible within the platform.

Security safeguards

industry-standard encryption encryption, end-to-end encrypted webhook delivery, and blockchain-anchored integrity checks satisfy DPDP's reasonable security safeguards requirement.

Significant data fiduciary obligations

For organizations classified as Significant Data Fiduciaries under DPDP, Avallis's audit trail and consent records support mandatory data protection impact assessments and auditing obligations.

Important: This page describes how Avallis's architecture addresses the requirements of these frameworks. It is not legal advice. Whether your specific use of Avallis satisfies your compliance obligations depends on your jurisdiction, use case, and how you configure the integration. Engage qualified legal counsel to assess your specific obligations. For BAA, DPA, or compliance documentation requests, contact enterprise@avallis.io.

Built for compliance from day one.

Talk to our team about your specific regulatory requirements.