Compliance

Data Compliance

Our commitments to data protection, regulatory compliance, and responsible data handling across Agent Outpost.

Last reviewed: June 3, 2026
HTTPS / TLS Enforced
Stripe PCI-DSS Compliant
HttpOnly Session Cookies
bcrypt + Pepper Passwords
Rate Limiting Active
No Third-Party Ad Tracking
GDPR — Self-Assessed
CCPA — Self-Assessed
01

Overview

Agent Outpost, operated by Sholtis Labs, LLC, is committed to responsible data handling. This page documents our data compliance posture, the regulatory frameworks we operate under, our technical controls, and how we handle data subject requests.

We process personal data as a data controller for account and transaction data, and as a data processor when acting on behalf of sellers who use the platform to collect buyer contact information.

Our baseline principle: Collect the minimum data needed to operate the marketplace. Never sell it. Never use it for advertising. Delete it when it's no longer needed.

02

Data Map

The following table describes the categories of personal data we process, the legal basis, and where it's stored.

Data Category Examples Legal Basis (GDPR) Storage Retention
Account Identity Email, username, display name, hashed password Contract Agent Outpost DB (SQLite → Postgres) Until account deletion + 30 days
Transaction Records Order IDs, amounts, fees, payout amounts, listing IDs Contract Legal obligation Agent Outpost DB 7 years (tax/legal)
Payment Data Card numbers, bank accounts Contract Stripe only — never stored by Agent Outpost Governed by Stripe
Messages Buyer-seller platform messages Contract Legitimate interest Agent Outpost DB Duration of account; deleted with account
Reviews Ratings, written review content Legitimate interest Agent Outpost DB Anonymized on account deletion
Session & Security Logs Login IPs, timestamps, user-agent, audit events Legitimate interest Agent Outpost DB 90 days rolling
Seller Payout Details Stripe Connect account ID, payout method status Contract Stripe Connect (reference token in Agent Outpost DB) Until seller deactivation
Waitlist Emails Email address, referral code, signup timestamp Consent Agent Outpost DB On request or 1 year post-launch
03

GDPR Compliance (EEA / UK)

Agent Outpost may be used by individuals in the European Economic Area and United Kingdom. We apply GDPR principles to all users globally, not just EU/UK residents.

Legal Bases for Processing

  • Contract (Art. 6(1)(b)) — account management, order processing, seller payouts, email verification, password reset
  • Legitimate Interests (Art. 6(1)(f)) — fraud prevention, security monitoring, abuse detection, marketplace integrity (reviews, dispute resolution)
  • Legal Obligation (Art. 6(1)(c)) — transaction records for tax compliance, fraud reporting
  • Consent (Art. 6(1)(a)) — waitlist sign-ups; any future marketing communications

Data Subject Rights — GDPR

  • Right of Access (Art. 15) — Request a copy of your data via [email protected]
  • Right to Rectification (Art. 16) — Update most data in Settings; contact us for anything else
  • Right to Erasure (Art. 17) — Delete account from Settings or by email; processed within 30 days
  • Right to Portability (Art. 20) — Request JSON/CSV export of your data
  • Right to Object (Art. 21) — Object to legitimate-interest processing; email [email protected]
  • Right to Restrict Processing (Art. 18) — Request restriction while disputes are pending
  • ~ DPA / EU Representative — Currently self-assessed; formal DPA appointment in progress as we scale EU user base

International Data Transfers

Agent Outpost's infrastructure is hosted in the United States. Data transfers from the EEA/UK to the US rely on Standard Contractual Clauses (SCCs) incorporated in our agreements with Stripe and Resend. We do not transfer personal data to countries without adequate protections outside of these frameworks.

Data Protection by Design

We apply data minimization, purpose limitation, and storage limitation principles throughout the platform. We conduct privacy impact assessments for new features that involve significant personal data processing.

04

CCPA Compliance (California)

California residents have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

California Data Subject Rights

  • Right to Know — You may request disclosure of the categories and specific pieces of personal information we collect
  • Right to Delete — You may request deletion of your personal information, subject to legal retention requirements
  • Right to Correct — You may request correction of inaccurate personal information
  • Right to Opt-Out of SaleWe do not sell personal information. No opt-out required.
  • Right to Non-Discrimination — Exercising any CCPA right will not affect your ability to use Agent Outpost
  • Right to Limit Use of Sensitive Data — We do not use sensitive personal information for secondary purposes

Categories of Personal Information Collected (CCPA)

  • Identifiers (name, email, username, IP address)
  • Commercial information (transaction records, purchase history)
  • Internet activity (pages visited, session data within Agent Outpost)
  • Financial information (processed by Stripe — not directly collected by us)

No sale or sharing: We do not sell, rent, or share personal information with third parties for cross-context behavioral advertising. Our data sharing is limited to service providers (Stripe, Resend) under written data processing agreements.

To submit a CCPA request, email [email protected] with "CCPA Request" in the subject line. We will verify your identity and respond within 45 days (with one 45-day extension if needed).

05

PCI DSS Compliance

Agent Outpost uses Stripe for all payment processing. Stripe is a certified PCI DSS Level 1 service provider — the highest level of certification in the payment card industry.

  • No card data storage — Raw card numbers, CVV codes, and full PANs never touch Agent Outpost servers
  • Stripe Elements / Checkout — Payment forms hosted by Stripe; cardholder data is entered directly into Stripe's iframe
  • Tokenization — Stripe returns a payment intent ID; we store only this token reference
  • HTTPS enforced — All pages served over TLS; payment pages additionally inherit Stripe's certificate chain
  • Reduced PCI scope — By using hosted Stripe fields, Agent Outpost qualifies for SAQ A (the lightest self-assessment questionnaire)

Stripe's PCI compliance documentation is available at stripe.com/docs/security.

06

Security Controls

  • TLS / HTTPS — All traffic encrypted in transit via Cloudflare TLS termination
  • Password hashing — bcrypt with server-side pepper; no plaintext passwords stored
  • HttpOnly, Secure session cookies — Session tokens inaccessible to JavaScript; transmitted only over HTTPS
  • Rate limiting — Login, registration, and API endpoints rate-limited per IP to prevent brute force
  • Account lockout — Repeated failed logins trigger temporary account lockout
  • RBAC (Role-Based Access Control) — Admin routes protected by server-side role verification on every request
  • Input validation — All user-supplied input validated and sanitized server-side; parameterized queries for all DB access
  • Audit logging — Security-relevant events (login, password change, admin actions) logged with timestamps and IP
  • CORS policy — Strict origin allowlist; cross-origin requests from unauthorized domains rejected
  • Content Security Policy — CSP headers restrict script/style/font sources
  • No third-party tracking scripts — No Google Analytics, Facebook Pixel, or ad network scripts on platform pages
  • ~ MFA / TOTP — Available — TOTP 2FA live at /settings (setup, verify, disable)
  • ~ Penetration testing — Planned prior to scaling beyond 1,000 users
07

Sub-Processors

Agent Outpost uses the following sub-processors who may process personal data on our behalf. All are under written data processing agreements:

Sub-Processor Purpose Data Processed Location Privacy Policy
Stripe, Inc. Payment processing, seller payouts (Stripe Connect) Payment card data, bank account details, transaction amounts USA (global) stripe.com/privacy
Resend, Inc. Transactional email delivery Email address, email content (verification, password reset, notifications) USA resend.com/privacy
Cloudflare, Inc. CDN, TLS termination, DDoS protection IP addresses, request metadata (not stored by Cloudflare beyond their standard logs) USA (global edge) cloudflare.com/privacypolicy

We will update this list when new sub-processors are added. We do not use sub-processors for advertising, data enrichment, or analytics beyond what's needed to operate the marketplace.

08

Data Retention Schedule

Data Type Retention Period Basis Deletion Method
Account profiles Until deletion + 30-day grace Contract Permanent DB delete
Transaction records 7 years Legal obligation (IRS, tax) Anonymized after account deletion; deleted after 7 years
Messages Duration of account Contract / legitimate interest Deleted with account after 30-day grace period
Reviews Indefinite for marketplace integrity Legitimate interest Author attribution removed on account deletion; content retained anonymized
Audit / security logs 90 days rolling Legitimate interest (fraud/security) Automatic purge after 90 days
Waitlist entries 1 year post-launch or on request Consent Manual delete on request; automatic after 1 year
Session cookies 24 hours (active sessions) Contract Server-side invalidation on logout or expiry
09

Data Breach Response

In the event of a data breach or suspected unauthorized access to personal data, we follow this response protocol:

  1. Contain (0–2 hours) — Immediately isolate affected systems, revoke compromised credentials, and stop active data exfiltration
  2. Assess (2–24 hours) — Determine scope: what data was accessed, how many users affected, whether sensitive data was exposed
  3. Notify affected users (within 72 hours of discovery) — Email notification to all affected users with: what happened, what data was involved, what we're doing, and what they should do
  4. Regulatory notification — Notify relevant supervisory authorities within 72 hours as required by GDPR Art. 33; CCPA breach notifications as required by California law
  5. Post-mortem — Full incident report, root cause analysis, and remediation steps published within 30 days

If you discover a potential security vulnerability, please report it to [email protected] before public disclosure. We respond to all security reports within 24 hours.

10

Exercising Your Data Rights

To submit any data subject request (access, deletion, portability, correction, objection), email [email protected] with:

  • Your full name and the email address associated with your account
  • The specific right you wish to exercise
  • Any relevant details (e.g., data to be corrected, specific export format needed)

We will verify your identity before processing the request. Most requests are fulfilled within 30 days. Complex requests may take up to 60 days with notice.

Automated Requests (coming soon)

We are building a self-service data portal in Account Settings where users can download their data export and request account deletion without emailing us. This will be available in a future platform release.

11

Data Protection Contact

For all data protection, privacy, and compliance inquiries:

We do not currently have a formally appointed Data Protection Officer (DPO) but intend to designate one as we scale our EU user base. In the interim, all DPO-equivalent functions are handled by the founding team at the privacy email above.

Data or compliance question?

We take every privacy inquiry seriously. Expect a response within 2 business days.

[email protected]