Compliance

1. Our Compliance Framework

At Gid Solutions, Inc. (operating as "Gid AI"), compliance is treated as a living discipline rather than a checkbox exercise. We align with multiple data-protection laws and industry frameworks, leverage infrastructure providers that maintain top-tier certifications, and are transparent about where we are in our own build-out.

This page summarizes how we approach compliance today. For the binding commitments, see the Terms of Service, Data Processing Agreement, Privacy Policy, SLA, AUP, and Sub-processors list.

2. Data Protection Regulations

GDPR (General Data Protection Regulation)

• Lawful basis for processing personal data
• Data subject rights implementation (access, rectification, erasure, portability) — see Privacy Policy § 9.A
• Privacy by design and by default principles applied to product development
• Data Protection Impact Assessments (DPIAs) for high-risk processing as required
• Privacy Officer designated: Alexandre Verville, privacy@gidai.ca. A formal GDPR Article 37 DPO will be appointed once we cross the operational thresholds that require one, or sooner on customer request
• Breach notification within 72 hours (GDPR Art 33) — see DPA § 8

U.S. state privacy laws

We honor consumer rights across the U.S. state privacy law patchwork — California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and Montana (MCDPA). We extend these rights to all U.S. residents for simplicity. Specific provisions:

• Rights to know, access, delete, correct, and opt out of "sale", "sharing", and targeted advertising. We do not engage in any of those activities; no opt-out is needed.
• Non-discrimination for exercising rights
• Notice at collection (CCPA § 1798.100(b))
• Identity-verification procedures for requests
• Right to appeal denied requests (Virginia, Colorado, Connecticut)
• Recognition of Global Privacy Control (GPC) as a universal opt-out signal
• Full implementation details in Privacy Policy § 9.B

PIPEDA (Personal Information Protection and Electronic Documents Act)

• Accountability for personal information protection
• Identifying purposes for data collection
• Consent requirements and management
• Limiting collection, use, and disclosure
• Accuracy and safeguards implementation
• Individual access rights and complaint handling

3. Industry-Specific Compliance

Employment and Labor Compliance

• Fair Labor Standards Act (FLSA) compliance for scheduling and time tracking
• Equal Employment Opportunity (EEO) data handling
• Predictive scheduling law compliance (where applicable)
• Worker classification and data protection
• Minimum wage and overtime calculation accuracy

Food Service Industry Standards

• Food safety training record management
• Health department compliance documentation
• Alcohol service certification tracking
• Allergen training and documentation
• Safety incident reporting and documentation

4. Security and Technical Compliance

International Security Standards

Cloud Security Compliance

• Google Cloud Platform security certifications and compliance inheritance
• AWS security framework compliance and shared responsibility model
• Firebase security rules and access control compliance
• Multi-region data residency and sovereignty compliance

5. Operational Compliance

Business Continuity and Disaster Recovery

• Business continuity planning and testing
• Disaster recovery procedures and documentation
• Data backup and recovery compliance
• Emergency response and communication protocols

Financial and Billing Compliance

• PCI DSS — Payment processing is handled by Stripe, which is certified PCI DSS Level 1. Gid does not store cardholder data on its systems. We are not directly PCI DSS certified ourselves because we do not handle the data that would require it.
• Financial record retention and audit trails (7 years)
• Tax responsibilities — Stripe Tax handles per-jurisdiction sales tax calculations on the billing side; Customer remains responsible for tax compliance on its own operations
• Sanctions screening at sign-up (OFAC, Canadian SEMA, EU consolidated list, UK consolidated list)

6. Audit and Monitoring

Internal Reviews

• Compliance posture reviewed before each major release and at quarterly ops cadence
• Privacy considerations applied at feature design (privacy by design)
• Continuous monitoring of data-processing activities via Cloud Logging
• Policy and runbook updates as the product and regulatory environment evolve

External Audits

• Regular internal security assessments following SOC 2 framework principles. Our infrastructure providers (GCP, Firebase) maintain SOC 2 Type II certification
• Infrastructure adherence to ISO 27001 security management standards
• Penetration testing by third-party security firms
• Compliance assessments by regulatory experts

7. Data Governance

Data Classification and Handling

• Data classification framework (public, internal, confidential, restricted)
• Data handling procedures based on classification levels
• Data lifecycle management and retention policies
• Secure data disposal and destruction procedures

Data Processing Records

• Comprehensive records of processing activities (ROPA)
• Legal basis documentation for all data processing
• Data transfer impact assessments
• Consent management and documentation

8. Employee Training and Awareness

Compliance Training Program

• Mandatory privacy and security training for all employees
• Role-specific compliance training programs
• Regular updates on regulatory changes
• Annual compliance certification requirements

Awareness and Communication

• Regular compliance newsletters and updates
• Incident reporting and response training
• Best practices documentation and sharing
• Compliance hotline for questions and concerns

9. Vendor and Third-Party Management

Due Diligence Process

• Comprehensive vendor security and compliance assessments
• Contractual requirements for compliance and security standards
• Regular vendor compliance reviews and audits
• Incident notification and response requirements

Data Processing Agreements

• GDPR-compliant data processing agreements with all vendors
• Standard contractual clauses for international data transfers
• Regular review and update of vendor agreements
• Termination and data return procedures

10. Incident Response and Breach Management

Incident Response Plan

• 24/7 incident response team and procedures
• Clear escalation and communication protocols
• Regulatory notification procedures and timelines
• Customer and stakeholder communication plans

Breach Notification Compliance

• GDPR 72-hour breach notification to supervisory authorities
• Individual notification within 72 hours when required
• CCPA breach notification to California Attorney General
• Documentation and reporting requirements compliance

11. Customer Compliance Support

Compliance Documentation

• Data processing addendums and agreements
• Technical and organizational measures documentation
• Audit reports and compliance certifications
• Data transfer and residency documentation

Support Services

• Compliance consulting and guidance
• Data subject request handling support
• Audit support and documentation provision
• Regulatory change impact assessments