Compliance
Certified Across
Every Jurisdiction
Harch Corp maintains compliance with international and regional standards across Moroccan, European, African, and global jurisdictions. Every certification is independently audited and continuously maintained.
Certifications
Full Certification Portfolio
Each certification represents an independent, third-party validation of our security and operational controls.
SOC 2 Type II
System and Organization Controls 2 Type II
Independent audit of our security, availability, and confidentiality controls over a minimum 6-month observation period. Demonstrates continuous operational effectiveness.
Scope
HarchOS Platform, Harch Intelligence Infrastructure
Region
Global
Auditor
Deloitte & Touche
Last Audit
Nov 2025
ISO 27001
ISO/IEC 27001:2022
International standard for information security management systems (ISMS). Certified across all Harch Corp operating entities and data center facilities.
Scope
All Harch Corp S.A. Operations
Region
Global
Auditor
Bureau Veritas
Last Audit
Sep 2025
ISO 22301
ISO 22301:2019 Business Continuity
Business continuity management system certification ensuring Harch Corp maintains critical operations during disruptions, with tested recovery procedures.
Scope
All Harch Corp S.A. Operations
Region
Global
Auditor
Bureau Veritas
Last Audit
Oct 2025
GDPR
EU General Data Protection Regulation
Full compliance with EU data protection regulation for all processing of EU data subjects. Includes DPA availability, cross-border transfer mechanisms, and data subject rights fulfillment.
Scope
All services processing EU personal data
Region
EU
Last Audit
Ongoing
CCPA
California Consumer Privacy Act
Compliance with California privacy requirements for US-based data subjects, including right to know, delete, and opt-out of data sale.
Scope
Services offered to California residents
Region
US
Last Audit
Ongoing
Moroccan DPA
Moroccan Law 09-08 (Data Protection Act)
Compliance with Moroccan data protection law administered by the CNDP (National Commission for Personal Data Protection). All data processing declared and registered.
Scope
All Harch Corp S.A. Morocco operations
Region
Morocco
Auditor
CNDP Morocco
Last Audit
Jun 2025
ISO 27017
ISO/IEC 27017:2015 Cloud Security
Cloud-specific security controls extending ISO 27001. Covers cloud service shared responsibility, virtual network security, and cloud tenant isolation.
Scope
HarchOS Cloud Platform
Region
Global
Last Audit
Pending
ISO 27018
ISO/IEC 27018:2019 PII in Public Cloud
Protection of personally identifiable information in public clouds. Establishes controls for data processing, breach notification, and data subject rights in cloud environments.
Scope
HarchOS Cloud Platform
Region
Global
Last Audit
Pending
PCI DSS
Payment Card Industry Data Security Standard
Security standard for organizations that handle credit card data. Ensures secure payment processing across Harch Corp billing and partner transactions.
Scope
Billing, payment processing systems
Region
Global
Last Audit
Pending
CSA STAR Level 2
Cloud Security Alliance STAR Level 2
Third-party audit of cloud security controls against CSA Cloud Controls Matrix. Demonstrates transparency and rigorous cloud security practices.
Scope
HarchOS Cloud Platform
Region
Global
Last Audit
Pending
HITRUST CSF
HITRUST Common Security Framework
Comprehensive security framework for healthcare and life sciences. Required for Harch Corp health-tech partnerships and medical data processing.
Scope
Health-tech vertical operations
Region
Global
Last Audit
Pending
FedRAMP
Federal Risk and Authorization Management Program
US government cloud authorization program. Enables Harch Corp to serve US federal agencies and government contractors with sovereign cloud services.
Scope
HarchOS US Region (planned)
Region
US
Last Audit
Pending
Regional Programs
Compliance by Region
Harch Corp operates across multiple jurisdictions, each with specific regulatory requirements. Our compliance program is designed for multi-jurisdictional coverage.
Morocco
Primary operating jurisdiction. Full compliance with Moroccan Law 09-08, CNDP registration, and all local regulatory requirements.
Active Certifications
European Union
GDPR compliance for EU data subjects. Standard contractual clauses for data transfers. Adequacy decision alignment for Morocco-EU transfers.
Active Certifications
Africa
Alignment with emerging African data protection frameworks including Cote d'Ivoire, Kenya, South Africa, and Nigeria regulations.
Active Certifications
Global
International compliance programs for cross-border operations. Designed to meet the most stringent requirements across all operating jurisdictions.
Active Certifications
Audit Reports
Documentation Available
Qualified customers and partners can request access to audit reports, certificates, and compliance documentation through our secure document portal.
| Document | Period | Auditor | Type | Access |
|---|---|---|---|---|
SOC 2 Type II Report | May 2025 — Nov 2025 | Deloitte & Touche | Audit Report | |
ISO 27001 Certificate | Sep 2025 — Sep 2026 | Bureau Veritas | Certificate | |
ISO 22301 Certificate | Oct 2025 — Oct 2026 | Bureau Veritas | Certificate | |
Penetration Test Summary | Q4 2025 | NCC Group | Test Report | |
Cloud Security Assessment | Q3 2025 | NCC Group | Assessment | |
GDPR DPIA Summary | Ongoing | Internal DPO | Assessment | |
CNDP Registration | Jun 2025 | CNDP Morocco | Registration | |
Business Continuity Test Results | Q3 2025 | Internal Audit | Test Report |
Data Processing Agreement
Standard DPA Available
Our pre-signed Data Processing Agreement is available for all customers. It covers GDPR Article 28 requirements, sub-processor management, breach notification procedures, and data subject rights assistance.
GDPR Article 28 compliant processing terms
Sub-processor notification and management
72-hour breach notification commitment
Data subject rights assistance (access, deletion, portability)
Cross-border transfer safeguards (SCCs)
Moroccan Law 09-08 alignment
DPA Quick Reference
Need Compliance Documentation?
Our compliance team can provide specific audit reports, certificates, and documentation for qualified requests.