Compliance Overview¶
This page provides a high-level summary of Trove's compliance obligations and certification roadmap. It is the reference point for understanding what we are required to comply with, what we are working towards, and who is responsible.
Compliance Ownership¶
Trove does not currently have a dedicated compliance officer. Compliance responsibilities are owned by the CTO (Joshua Curci), with oversight from the broader leadership team.
As Trove scales, a formal compliance function will be established. Until then, any compliance questions, concerns, or incidents should be directed to the CTO.
Current Regulatory Obligations¶
Australian Privacy Act 1988¶
As an Australian company, Trove is subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), which govern how we collect, use, store, and disclose personal information.
Trove is also subject to the Notifiable Data Breaches (NDB) scheme, which requires us to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in the event of an eligible data breach - one that is likely to result in serious harm.
Key obligations: - Collect only personal information that is necessary for our functions - Be transparent about how personal information is handled - Keep personal information secure - Give individuals access to their personal information on request - Notify affected individuals and the OAIC of eligible data breaches
Further reading: Privacy Policy · Breach Response Plan
GDPR - General Data Protection Regulation¶
Trove operates worldwide and processes personal data of individuals located in the European Union and European Economic Area. This means the GDPR applies to our processing activities.
Key obligations: - Have a lawful basis for processing personal data - Provide clear and transparent privacy notices - Honour data subject rights (access, erasure, portability, objection) - Implement appropriate technical and organisational security measures - Maintain records of processing activities (ROPA) - Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing - Sign Data Processing Agreements (DPAs) with customers who are controllers - Report personal data breaches to supervisory authorities within 72 hours where required
Further reading: Global Privacy Policy · Master Data Processing Addendum · Data Subject Rights Procedure · Records of Processing Activities
PCI DSS - SAQ-A¶
Trove facilitates payments through Stripe. As a merchant that has fully outsourced cardholder data processing to a PCI DSS compliant payment provider, Trove is subject to PCI DSS Self-Assessment Questionnaire A (SAQ-A) - the lightest compliance tier for merchants who do not directly handle, store, or transmit cardholder data.
Key obligations: - Ensure all payment processing is handled exclusively through Stripe's hosted components - Do not store, log, or transmit cardholder data through Trove systems - Maintain the SAQ-A self-assessment on an annual basis - Ensure Stripe remains a PCI DSS compliant service provider
Certification Roadmap¶
The following certifications are actively being pursued as Trove scales. These are not yet achieved but represent our committed compliance direction.
| Certification | Description | Status |
|---|---|---|
| SOC 2 Type II | Audited assurance report covering security, availability, and confidentiality controls over a defined period | In progress |
| ISO 27001 | International standard for information security management systems (ISMS) | In progress |
| ISO 27701 | Extension to ISO 27001 covering privacy information management (PIMS) | In progress |
| CSA STAR Level 1 or 2 | Cloud Security Alliance assessment covering cloud-specific security controls | In progress |
| GDPR Compliance | Formal compliance with all GDPR obligations across our processing activities | In progress |
Why these certifications?
These certifications are increasingly required by enterprise customers as a condition of doing business. Achieving them demonstrates that Trove has mature, auditable security and privacy controls - building trust with brands, their customers, and regulators.
Key Compliance Documents¶
The following documents support our compliance obligations. Many are currently in development.
| Document | Description |
|---|---|
| Acceptable Use Policy | What staff can and cannot do with company systems and data |
| Change Management SOP | How changes to systems and processes are managed |
| Global Data Flow Map & Register | How personal data flows across systems and borders |
| Records of Processing Activities (ROPA) | Global register of data processing activities |
| Data Subject Rights Procedure | How requests from individuals are handled |
| Retention & Deletion Policy | Rules for retaining and deleting data |
| Breach Response Plan | Steps to take in the event of a data breach |
| Incident Response Plan | How security incidents are identified, managed, and resolved |
| Third-Party Risk Assessment Template | Framework for assessing risk from vendors and third parties |
| Sub-Processor Due Diligence Records | Due diligence conducted on sub-processors |
| Annual Compliance Audit Plan | Schedule and scope for annual compliance audits |
| Training & Awareness Log | Record of staff compliance and security training |
Review Cycle¶
This page and the broader compliance framework should be reviewed at least annually, or when any of the following occur:
- A new regulatory obligation is identified
- A significant change is made to the platform or its data processing activities
- A new market or jurisdiction is entered
- A compliance incident or near-miss occurs