Journiq
Volume Legalia · Compliance

Compliance

Journiq is built to help businesses engage their users responsibly. This page summarizes the regulatory frameworks we align with and the resources available to our customers.

Overview

Compliance is shared. Journiq provides the controls, contracts, and documentation that customers need to build compliant products on top of our platform — but customers are responsible for their own regulatory obligations, lawful basis for processing, and recipient-consent practices.

Frameworks & Certifications

FrameworkStatus
SOC 2 Type IIAvailable under NDA on Enterprise plans
ISO 27001On the roadmap
GDPRAligned; SCCs available
CCPA / CPRAAligned
HIPAABAA available on Enterprise plans for eligible workloads
PCI DSSOut of scope for the Services (no cardholder data is stored; billing handled by a PCI-DSS Level 1 processor)

GDPR

Journiq acts as a processor of end-user personal data on behalf of our Customers, who act as controllers. We support GDPR compliance through:

  • A Data Processing Addendum incorporating Standard Contractual Clauses for international transfers.
  • Per-end-user delete and export tooling exposed via API and dashboard.
  • Configurable retention windows for events and profiles.
  • Documented subprocessor list with advance-notice of changes.
  • Records of processing activities and security measures (Annex II).

CCPA / CPRA

Journiq qualifies as a “service provider” under the CCPA/CPRA. We do not sell or share personal information for cross-context behavioral advertising. We support customer fulfilment of consumer rights including the right to know, delete, correct, and opt out of sale/sharing.

Messaging Compliance

Customers using Journiq to send messages are responsible for complying with applicable laws, including:

  • TCPA (US): Prior express written consent for marketing SMS to mobile numbers; quiet-hours respect.
  • CAN-SPAM (US): Accurate sender info, working unsubscribe, prompt honoring of opt-outs.
  • CASL (Canada): Express or implied consent and identification requirements.
  • GDPR / ePrivacy (EEA, UK): Lawful basis (consent or legitimate interest as applicable) and granular preference controls.
  • 10DLC / Toll-Free verification (US carriers): Brand and campaign registration where required.

The platform provides preference centers, suppression lists, unsubscribe tokens, quiet-hour controls, and per-channel consent tracking to help customers operate compliantly.

Subprocessors

We maintain a current list of subprocessors used to deliver the Services, including hosting, message-delivery, analytics, and support providers. Customers may subscribe to advance-notice emails for changes by writing to compliance@getjourniq.com.

Data Residency

Journiq currently hosts production data in the United States and the European Union. Enterprise customers can request EU-only or US-only residency for their tenant during onboarding.

Data Processing Addendum

Our standard DPA (incorporating GDPR Standard Contractual Clauses and UK Addendum) is available on request. Customers may countersign the DPA via legal@getjourniq.com before or after activation.

Customer Requests

Compliance documentation, security questionnaires, BAAs, and audit reports are available to qualifying customers under NDA. Reach us at compliance@getjourniq.com and include your account and the framework you’re reviewing.