Compliance Assessment Tool 路 Trust & Legal

Privacy Policy

Last updated: 2026-05-15 路 Classification: Public

Effective: 2026-05-15

1. Who we are

Compliance Assessment Tool, LLC ("CAT", "we", "us") is a Delaware limited liability company at 1111B S Governors Ave, #39128, Dover, DE 19904. We provide a compliance-as-a-service platform that helps acquiring banks, ISOs, and payment service providers ("Partners") complete PCI DSS Self-Assessment Questionnaires ("SAQs") on behalf of their merchants ("End Users").

2. Our role

For most processing of End User personal data, we act as a data processor (or "service provider" under CCPA terminology) on behalf of our Partners, who are the data controllers. Our processing of Partner data is governed by our Data Processing Addendum. For data collected directly from you when you visit this site (e.g., website analytics), we are the controller.

3. Personal data we collect

CategoryExamplesSourcePurpose
Partner contact infoName, work email, phone, rolePartner provides at onboardingAccount management, support, billing
Merchant business infoLegal name, DBA, address, website, contact details, payment-method descriptions, acquirer/processor identifiers, locationsPartner provides via API / iframeSAQ + AoC completion
SAQ responsesFree-text answers to PCI DSS controls, attestation status (In Place / Not In Place / N/A / In Place with CCW), remediation plansMerchant provides via Partner's surfaceSAQ + AoC generation
Signature dataSignatory name, title, attestation acknowledgement, signed-at timestampMerchant provides via Partner's surfaceRendered on AoC attestation page
Web logsIP address, user agent, request path, response status, timestampServer-side via AWS CloudWatchSecurity monitoring, debugging

We do not collect cardholder data (CHD). Our platform is engineered to keep CHD outside our scope; we only collect merchants' descriptions of their payment flows, not the card numbers themselves.

4. Cookies & tracking

This site uses a small number of strictly-necessary, first-party cookies for session and API-key persistence in the demo portal. We use no third-party analytics, no advertising cookies, no marketing pixels, no Google Analytics, no Meta Pixel. Strictly-necessary cookies are exempt from consent under GDPR and ePrivacy.

5. How we use personal data

We do not: sell personal data, share it for cross-context behavioral advertising, use it to train AI models for other customers, or use it for any purpose outside the scope of the Partner's instructions.

6. Disclosures & sub-processors

We disclose personal data only to: (a) our sub-processors under written contracts containing data-protection terms equivalent to those in our DPA; (b) the Partner you arrived from; (c) competent authorities when legally compelled.

7. International transfers

We host customer data in AWS us-east-1 (N. Virginia). For data subjects in the European Economic Area, United Kingdom, or Switzerland, transfers to the United States are governed by the European Commission's Standard Contractual Clauses (2021/914) and, for UK data, the UK International Data Transfer Addendum (IDTA / UK Addendum).

8. Data retention

On Partner request after termination we will return or delete personal data per Section 2.11 of the DPA.

9. Your rights

Depending on where you are located, you may have rights to access, correct, delete, or port your personal data, to object to or restrict processing, and to lodge a complaint with your supervisory authority. Because we typically act as a processor, please direct rights requests to the Partner that gave you access to our platform. We will assist the Partner in responding within the timeframes required by law (typically 30 days for GDPR, 45 days for CCPA).

If you cannot reach the Partner, email chris.larson@complianceassessmenttool.com and we will route the request appropriately.

10. California residents (CCPA / CPRA)

Categories of personal information collected: identifiers (name, email, phone), commercial information (merchant business descriptions), internet activity (web logs), professional information (signatory title). We have not "sold" or "shared" personal information in the prior 12 months. We are a service provider for our Partners; we do not retain, use, or disclose personal information except to perform the services specified in our written contracts.

11. Children

This service is for businesses and is not directed at children under 16. We do not knowingly collect personal data from children.

12. Changes

We will post any material changes to this policy at least 30 days before they take effect. The "Effective" date above reflects the most recent version.

13. Contact

Compliance Assessment Tool, LLC
1111B S Governors Ave, #39128, Dover, DE 19904
Privacy: chris.larson@complianceassessmenttool.com
Security: chris.larson@complianceassessmenttool.com