Compliance posture.
PayslipIQ runs on auditor-ready process and tooling. The frameworks below are the ones that apply to a US-only educational paycheck explainer. Items marked "in progress" are tracked toward formal certification.
Frameworks
SOC 2 Type 1
In progressPayslipIQ is operating to SOC 2 Common Criteria. A formal Type 1 audit is planned in 2026. Internal controls documentation is maintained on the same standard reviewers expect.
FCRA (Fair Credit Reporting Act)
Not applicable, by designPayslipIQ outputs are not consumer reports. PayslipIQ is not a consumer reporting agency. Outputs must not be used for employment screening, tenant screening, credit decisions, insurance underwriting, or any FCRA-regulated purpose.
CCPA / CPRA (California)
CompliantPayslipIQ does not sell personal information. CA residents may request access, deletion, or correction by emailing privacy@payslipiq.com. The Pay Stub Checker upload flow is opt-in. Analytics use cookie-less tooling.
GDPR (EU/UK residents)
Compliant where applicablePayslipIQ is a US-only service. EU/UK residents who voluntarily use the site have access, deletion, and correction rights. Email privacy@payslipiq.com.
HIPAA
Not in scopePayslipIQ does not handle Protected Health Information (PHI) covered by HIPAA. Health insurance premium amounts on a pay stub are not PHI in this context.
PCI DSS
Out of scope (Stripe-handled)Card data is processed by Stripe. PayslipIQ never touches a primary account number. Stripe is PCI DSS Level 1 certified.
Sub-processor list
All sub-processors are bound by contract with security obligations equal to or stronger than ours. Last reviewed: May 2026.
| Vendor | Purpose | Certification | Region |
|---|---|---|---|
| Vercel | Hosting and edge CDN | SOC 2 Type 2 | United States |
| Anthropic | Claude vision model for pay-stub extraction | No-training agreement | United States |
| GitHub | Source control | SOC 2 Type 2 | United States |
| Stripe | Payment processing for premium products | PCI DSS Level 1 | United States |
| Resend | Transactional email (lead magnets, receipts) | SOC 2 Type 2 | United States |
| Plausible | Cookie-less analytics | EU GDPR-aligned | European Union |
Data Processing Addendum (DPA)
B2B partners (HR platforms, payroll software, financial wellness vendors) requiring a signed DPA can request the standard PayslipIQ DPA from legal@payslipiq.com.
Reporting concerns
Privacy or data-handling concerns: privacy@payslipiq.com
Security findings: security@payslipiq.com (or /.well-known/security.txt)
Legal: legal@payslipiq.com
PayslipIQ provides educational information and estimated calculations only. It does not provide tax, legal, financial, accounting, employment, benefits, or payroll advice. PayslipIQ is not a CPA firm, law firm, financial advisor, payroll provider, or tax authority. Always verify your paycheck, deductions, withholdings, and tax position with your employer's payroll department, a qualified CPA, the IRS, your state tax authority, or another appropriately qualified professional. Calculations are estimates; your actual paycheck may differ based on factors specific to your employer, location, benefits elections, and personal tax situation.