State of M&A Data Rooms — Q1 2026 Read the report →
Peony LogoPeony

Compliance and Certifications (SOC 2, GDPR)

SOC 2 Type II in progress via Sprinto. GDPR compliant.

Last updated April 10, 2026

Peony's current compliance posture. Some certifications are in progress, some are complete.

For encryption, hosting, and access control, see Security Overview.

SOC 2

SOC 2 Type II — in progress via Sprinto. Certification expected later in 2026.

Available right now for compliance reviews:

  • Security whitepaper covering encryption, hosting, access control, audit logging, backups, incident response.
  • Completed security questionnaires (CAIQ, vendor risk, Google Workspace vendor reviews).
  • DPA for GDPR and standard vendor contracts.

Request any of these from deqian@peony.ink with your company name and review timeline. Typical turnaround: one business day.

GDPR

Peony is GDPR compliant for EU customers.

  • Legal basis. Processing under legitimate-interest and contract bases (GDPR Article 6). Customer content processed only to deliver the service.
  • DPA. Standard DPA with Standard Contractual Clauses (SCCs) for international transfers, on request from deqian@peony.ink.
  • Data subject rights. Access, portability, correction, and erasure via the account owner or deqian@peony.ink. Most rights are self-serve from Settings.
  • Hosting. Customer data hosted in AWS US by default. EU transfers governed by SCCs.

EU-residency requirements: contact sean@peony.ink before purchasing.

HIPAA

Peony can support HIPAA on a case-by-case basis. Contact sean@peony.ink to discuss your requirements.

CCPA

Peony respects CCPA rights for California residents: right to know, delete, and opt out of sale. Peony does not sell customer data. Submit requests to deqian@peony.ink.

ISO 27001, FedRAMP, Others

Not currently held. No ISO 27001, FedRAMP, ISO 27017, ISO 27018, or PCI DSS. The roadmap is driven by enterprise customer demand — if a certification is blocking procurement, contact sean@peony.ink.

Common Questions

"Can I get a signed DPA?" Yes — deqian@peony.ink.

"Do you have a completed security questionnaire?" Yes — deqian@peony.ink. Shared under NDA.

"Where is our data hosted?" AWS US region.

"Who on the Peony team has access to our data?" Production access limited to a small on-call rotation and support staff on active tickets. All access logged.

"What happens to our data if we cancel?" 30-day soft-delete window, then purged from primary storage. See Security Overview.

"Does Peony use our documents to train AI models?" No. LLM APIs operate under data-handling agreements that prohibit training on customer content.

Related

Previous
Security Overview: Encryption, Hosting, Audit Logs
Next
APIs & SDKs