One control set.

Three frameworks satisfied.

SaleStreams is built so that data protection, payment security and information security management reinforce each other — not compete. Here's how we approach compliance across the platform.

Frameworks we design around

GDPR, PCI DSS and ISO 27001 regulate different things — personal data, cardholder data, and information security management respectively — but on a platform like ours they converge on the same underlying controls: access, encryption, logging, retention, incident response and supplier oversight.

Data Protection

UK & EU GDPR

Governs how we collect, process and protect personal data across our customer portal, marketing, loyalty and membership features — covering consent, data-subject rights and accountability.

Payment Security

PCI DSS

Applies to every point our platform captures, transmits or stores cardholder data. We scope our payment flows tightly and tokenise card data at capture wherever possible.

Information Security

ISO 27001

A certifiable management-system standard covering our entire estate — platform, back office, suppliers and underlying infrastructure — as a single Information Security Management System (ISMS).

A unified approach to controls

Rather than running separate programmes per framework, we build one control set sized to the strictest applicable requirement, so each control satisfies GDPR, PCI DSS and ISO 27001 at the same time.

Control area How we approach it
Access & authentication Per-user credentials with multi-factor authentication, enforced through a single identity service across the platform.
Encryption Data is encrypted in transit and at rest, with cardholder data tokenised at the point of capture so raw card numbers never reach our back-office systems.
Logging & monitoring Access to records is logged with tamper-evident retention, masking sensitive values so audit logs never become a data-protection liability of their own.
Data minimisation & retention We collect and retain only the data needed to run the platform, for no longer than necessary, consistent with our published retention practices.
Testing & vulnerability management Regular vulnerability scanning and periodic independent penetration testing across the platform.
Supplier oversight Third-party suppliers are assessed for data protection agreements, payment compliance status and information security certifications before onboarding.
Incident response A single incident response plan with defined notification paths for regulators, payment schemes and affected customers, triaged by the type of data involved.

Certifications & standards

Our infrastructure and controls are built to meet the following standards.

UK GDPR + EU GDPR US CCPA/CPRA PCI DSS Level 1 SOC 2 Type II ready ISO 27001 99.99% Uptime SLA

Need compliance documentation?

Request our DPA, security questionnaire responses or certification evidence for your procurement or audit process.

Request Documentation View Security Page