Skip to main content

Compliance Roadmap

This page outlines our current compliance status and planned certifications.

Current Compliance

GDPR ✅

Status: Fully Compliant

  • Data Processing Agreements (DPA) available for all customers
  • Privacy by design architecture
  • Data subject rights procedures in place
  • EU-based data processing

View GDPR Details →

GS1 Digital Link ✅

Status: Fully Compliant

  • Native GS1 Digital Link URL format
  • ISO/IEC 20248 aligned
  • Interoperable with GS1 resolver network

EU FMD / DSCSA ✅

Status: Compatible

  • Serialization format compatible with pharmaceutical regulations
  • GS1 GTIN + Serial + Batch encoding
  • Aggregation hierarchy support

Q2 2026

SOC 2 Type I 📋

Status: Audit Engagement Planned

SOC 2 Type I examines whether security controls are properly designed. We're preparing for audit with:

Trust Service CriteriaStatus
SecurityControls operational
AvailabilityControls operational
Processing IntegrityControls operational
ConfidentialityControls operational
PrivacyControls operational

Timeline:

  • Control documentation: Complete
  • Gap assessment: Q1 2026
  • Auditor engagement: Q1 2026
  • Report expected: Q2 2026

Q3–Q4 2026

SOC 2 Type II 📋

Status: Planned After Type I

SOC 2 Type II examines whether controls are operating effectively over time. The observation period begins after Type I completion.

Timeline:

  • Observation period: Q2–Q3 2026
  • Final report expected: Q4 2026

ISO 27001 📋

Status: ISMS Implementation

ISO 27001 certification demonstrates a mature Information Security Management System. We're implementing:

  • Risk assessment methodology
  • Statement of Applicability
  • Internal audit procedures
  • Management review process

Timeline:

  • ISMS implementation: Q2 2026
  • Internal audits: Q3 2026
  • Certification audit: Q4 2026

2027

EU Digital Product Passport 🟢

Status: Architecture Ready

The EU Digital Product Passport (DPP) regulation will require digital tracking for:

  • Batteries (2027)
  • Textiles (2027)
  • Electronics (TBD)

Optropic's architecture is already aligned:

DPP RequirementOptropic Implementation
Unique product identifierGS1 GTIN + Serial
QR code linkingGS1 Digital Link URL
Supply chain trackingProvenance chain
Authenticity verificationEd25519 signatures

Post-Quantum Cryptography 🔮

Status: Research Phase

Preparing for quantum computing threats:

  • CRYSTALS-Dilithium evaluation for signatures
  • CRYSTALS-Kyber evaluation for key exchange
  • Hybrid classical/PQC transition planning

Timeline:

  • Algorithm selection: 2026
  • Pilot implementation: 2027
  • Production rollout: 2028+

Certification Timeline

2026                    2027                    2028
 │                       │                       │
 ├──Q1: Gap assessment   │                       │
 │                       │                       │
 ├──Q2: SOC 2 Type I ────┤                       │
 │                       │                       │
 ├──Q3: SOC 2 observation│                       │
 │                       │                       │
 ├──Q4: SOC 2 Type II ───┼──ISO 27001 ──────────┤
 │      ISO 27001 audit  │                       │
 │                       │                       │
 │                       ├──DPP (Batteries) ─────┤
 │                       │                       │
 │                       ├──DPP (Textiles) ──────┤
 │                       │                       │
 │                       │                       ├──PQC Rollout

Request Compliance Documentation

For:

  • SOC 2 reports (after completion)
  • Security questionnaires
  • Vendor risk assessments
  • Custom compliance documentation

Contact: compliance@optropic.com