# Certifications & Compliance Scope (/docs/trust/certifications)



We only list what we can back up. For commercial negotiations — signed
DPA, custom retention, security questionnaires — email
[legal@layers.com](mailto:legal@layers.com).

## HIPAA [#hipaa]

**Not in scope.** Layers does not process PHI. Partners and end
customers must not transmit PHI through the Partner API or the Layers
SDK.

## PCI DSS [#pci-dss]

**Not in scope.** Layers does not store, process, or transmit
cardholder data. Billing is delegated to Stripe, which handles card
tokenization and PCI scope end-to-end.

## GDPR / CCPA / CPRA [#gdpr--ccpa--cpra]

Layers processes personal data under a DPA that incorporates the EU
Commission's Standard Contractual Clauses for cross-border transfers
where applicable. See [DPA](/docs/trust/dpa) and
[DSAR](/docs/trust/dsar).

## SOC 2, ISO 27001, other framework certifications [#soc-2-iso-27001-other-framework-certifications]

We are not currently publishing a SOC 2 report, ISO 27001 certificate,
or other third-party attestations. If your procurement process needs
one, contact [legal@layers.com](mailto:legal@layers.com) — we'll tell
you honestly what we do and don't have, and we can usually complete a
security questionnaire directly.

## Changes to this page [#changes-to-this-page]

If the compliance surface changes (new framework in scope, new report
available, scope changes), it will show up here. We won't announce
certifications we don't have.