SOFI

Compliance

Compliance isn't a checklist. It's architecture.

SOFI was built so private test data workflows can enforce LGPD, GDPR, HIPAA, and PCI-DSS controls from the first VDB you provision.

Privacy by design

Every SOFI feature is built with privacy in mind. PII never reaches dev teams — it's masked before provisioning.

Immutable audit log

Every masking, access, and provisioning event is recorded. Export to external auditors as CSV/JSON in one click.

Layered encryption

AES-256-GCM for passwords, TLS 1.3 in transit, encryption-at-rest in PostgreSQL. Keys managed via KMS.

Dedicated DPO

Direct contact via dpo@sofi.io. 5-business-day SLA for data subject requests.

How we help

Covering every legal basis and data subject right.

Legal bases supported

SOFI supports the legal bases for processing personal data set out in LGPD (Art. 7) and GDPR (Art. 6):

  • Consent — UI for record-keeping and revocation.
  • Legal obligation — tax and regulatory audit.
  • Contract performance — operating the contracted SOFI deployment and support services.
  • Legitimate interest — security and fraud prevention.

Data subject rights

  • Access — endpoint for subjects to export all their data.
  • Correction — UI for correcting inaccurate data.
  • Anonymization — our specialty — native masking.
  • Portability — structured data export.
  • Erasure — soft-delete + hard-delete after 90 days.
  • Consent revocation — auditable trail.

Principles upheld

  • Purpose — purposes stated in the Privacy Policy.
  • Adequacy — we collect only necessary data.
  • Necessity — minimization by default.
  • Free access — endpoints and UI for inspection.
  • Quality — input validation, soft-delete, audit.
  • Transparency — this page, policy, and terms are public.
  • Security — encryption, RBAC, audit logs.
  • Prevention — masking is mandatory in VDBs.
  • Non-discrimination — no adverse automated decisions.
  • Accountability — DPO + immutable audit log.

Subprocessors

The current privacy policy describes subprocessors and the way they are used. We notify customers 30 days before any material subprocessor change.

Security incidents

We notify regulators and affected subjects within 48 hours of detection, as required by LGPD Art. 48 and GDPR Art. 33.

DPO contact

Data Protection Officer:
Email: dpo@sofi.io
Response SLA: 5 business days.

Want to see how we'd hold up in a real audit?

Talk to the teamSee privacy policy