Where we are today, what we sign, and what's on the audit roadmap. Honest status only — no fake certifications.
Hash-only architecture is structurally HIPAA-defensive. BAAs signed for Enterprise customers with healthcare use cases. Full certification on the Q4 2026 roadmap. Read the honest details →
Hash-only architecture limits PII surface by design. Full rights program (access, rectify, erase, port). DPA available on request. SCCs for cross-border transfers. See Privacy Policy.
EU eIDAS 2.0 qualified-timestamp profile on the roadmap. Critical for EU regulated industries where qualified timestamps carry equivalent legal weight to handwritten signatures under EU law.
StampRight receipts will emit C2PA Content Credentials manifests, interoperable with Adobe, Microsoft, Sony, Nikon, and the broader provenance ecosystem. Especially important for photographers and journalists.
Audit window opens Q3 2026. Type II report issued Q1 2027. The five Trust Services Criteria — Security, Availability, Confidentiality, Processing Integrity, Privacy — across an extended observation period.
Receipts carry markers for post-quantum signature migration. When NIST-mandated quantum-safe signatures arrive, your existing stamps upgrade without rebreaking the chain.
Every third-party service that touches Customer Data, what it does, and where it's located.
| Subprocessor | Purpose | Region |
|---|---|---|
| DigitalOcean | Infrastructure hosting | US (NYC3) |
| DigitalOcean Managed Postgres | Database | US (NYC3) |
| Clerk | Authentication / identity | US |
| Resend | Transactional email (default) | US |
| Postmark / AWS SES | Transactional email (HIPAA tenants) | US |
| Stripe | Payments processing | US |
We notify Enterprise customers in writing 30 days before adding or replacing any subprocessor that handles Customer Data.
We take responsible disclosure seriously. Report any security issue to security@stampright.com — we acknowledge within 48 hours and patch within 7 days for high-severity issues.
StampRight