Certifications & Compliance Scope
Where Layers sits on compliance frameworks today.
We only list what we can back up. For commercial negotiations — signed DPA, custom retention, security questionnaires — email legal@layers.com.
HIPAA
Not in scope. Layers does not process PHI. Partners and end customers must not transmit PHI through the Partner API or the Layers SDK.
PCI DSS
Not in scope. Layers does not store, process, or transmit cardholder data. Billing is delegated to Stripe, which handles card tokenization and PCI scope end-to-end.
GDPR / CCPA / CPRA
Layers processes personal data under a DPA that incorporates the EU Commission's Standard Contractual Clauses for cross-border transfers where applicable. See DPA and DSAR.
SOC 2, ISO 27001, other framework certifications
We are not currently publishing a SOC 2 report, ISO 27001 certificate, or other third-party attestations. If your procurement process needs one, contact legal@layers.com — we'll tell you honestly what we do and don't have, and we can usually complete a security questionnaire directly.
Changes to this page
If the compliance surface changes (new framework in scope, new report available, scope changes), it will show up here. We won't announce certifications we don't have.