Compliance & Security

We design for privacy by default, verify consent, and use industry-standard security to protect your legacy vault.

Privacy by Design

• Consent Required: All living individuals must consent; minors require parent/guardian consent.
• Default Private: Sensitive materials are private by default and shared only as you decide.
• Data Minimization: We collect only what’s necessary.

Security Controls

• Encryption in transit and at rest.
• Role-based access, least-privilege permissions, and audit logging.
• Backups and business continuity planning.
• Ongoing reviews for appropriateness and effectiveness.

Risk & Impact Assessments

• Data Protection Impact Assessments (DPIAs) for high-risk processing.
• Vendor reviews for privacy and security fit before use.

Incidents & Breach Response

• Detection, containment, investigation, and remediation procedures.
• Notifications to impacted individuals and regulators where required.

Blockchain Assurance

• No personal data is placed on public blockchains.
• NFTs are certificates/access keys, not securities or investments.

Regulatory Alignment

• Major U.S. state privacy laws (e.g., CPRA, Texas Data Privacy & Security Act) and international principles honored.
• Cross-border transfers protected by recognized safeguards where required (e.g., Standard Contractual Clauses).
• We are not a HIPAA-covered entity; FTC Health Breach Notification requirements may apply in certain scenarios.

Contact

Compliance questions: compliance@tomboflight.com