Compliance & Trust

This page consolidates the compliance commitments behind stream-rise.com. It is a companion to our /privacy-policy, /aml-kyc-statement, /refund-policy, and /sla. Use this page as a single index when assessing Streamrise as a processor, payment counterpart, or service provider.

1. Compliance Contact

Streamrise maintains a single compliance contact for data-protection, security, and regulatory enquiries: support@stream-rise.com (subject prefix: [Compliance]).

We do not currently designate a separate Data Protection Officer under GDPR Article 37, on the basis that our core activities do not involve large-scale processing of special categories of data and do not require regular monitoring of data subjects on a large scale. The compliance contact above acts as the single accountable point for the equivalent activities — DSAR handling, subprocessor due diligence, breach response, and policy review.

2. EU Representative (GDPR Article 27)

Streamrise is established outside the EU/EEA. We monitor the volume and nature of personal data processing of EEA residents on an ongoing basis. As of the "Last updated" date above we have assessed that the Article 27 representative threshold is not met under the "occasional processing, low risk to rights and freedoms" exception.

When that assessment changes — for example if EEA-resident order volume crosses the regular-monitoring threshold — we will appoint a designated EU representative and publish their name and contact details here. Until then, EEA data subjects can reach us via the compliance contact in §1, and we respond within the 30-day GDPR window.

3. Personal Data Breach Notification

We follow a 72-hour notification workflow modelled on GDPR Article 33–34:

• Detection. Operational logs (Elasticsearch) and tooling alerts feed a single on-call inbox monitored continuously. Suspected incidents are triaged within four hours.
• Containment + assessment. Within 24 hours of triage we close the immediate vector, freeze affected accounts if needed, and assess whether personal data was actually exposed.
• Regulator notification. Where a notifiable breach is confirmed, we notify the lead supervisory authority within 72 hours of becoming aware of the breach. If we cannot meet that window we still file, with a documented reason for the delay (Article 33(1) second sentence).
• Affected-person notification. If the breach is likely to result in a high risk to rights and freedoms, we notify affected individuals without undue delay (Article 34) — directly by email to the address on file, in clear language, with a description of the data involved and the steps people can take.
• Post-incident. Every notifiable event produces a written post-mortem retained for at least three years; remediation actions are tracked to closure.

To report a suspected security issue, email support@stream-rise.com with subject [Security]. We acknowledge security reports within one business day and do not pursue legal action against good-faith researchers who follow our coordinated-disclosure guidance.

4. Subprocessor Index

The current subprocessor list — payment processors, support tooling, analytics, email delivery, and infrastructure — is maintained in /privacy-policy §5. Material changes (new subprocessor with access to personal data, or a change of legal basis for an existing one) are communicated by updating that list and bumping the privacy-policy "Last updated" date. Customers on contractual data-processing agreements receive email notification of subprocessor changes 14 days before the change takes effect.

5. Cross-Border Data Transfers

Our infrastructure is hosted in European data centres. Where subprocessors handle EEA personal data outside the EEA — notably Google Analytics on selected pages — transfers are made under the European Commission's 2021 Standard Contractual Clauses (SCC), or under an adequacy decision where one is in force for the destination country (currently: UK, Switzerland, and the jurisdictions listed in Commission decisions).

We perform a transfer impact assessment for each non-adequate destination before onboarding a subprocessor that ships data outside the EEA, and we re-assess on a 12-month cadence.

6. FTC Affiliate & Endorsement Disclosure

Streamrise operates a referral program (see /refer). Referrers earn commission when customers they introduce purchase from us.

Under the U.S. Federal Trade Commission's Endorsement Guides (16 CFR Part 255) and the 2024 Consumer Review Rule, anyone publishing an endorsement of Streamrise that they have a material connection with — including referral-link partners, paid creator partnerships, and our own staff — must clearly and conspicuously disclose that connection in the same medium as the endorsement (e.g. #ad, #sponsored, or "I get a commission if you sign up through my link" — visible without tapping "more"; not buried in a profile bio).

Streamrise does not pay for, solicit, or selectively suppress customer reviews. Our visible review surfaces use only verified customer-account-linked feedback. Any future paid creator partnership will be governed by a written brief that requires the creator to honour the FTC disclosure obligation; we will rescind partnerships that fail to disclose. Internal editorial bylines on stream-rise.com (e.g. /author/alex-morrison) are pseudonymous editorial-team personas — disclosed inline on each author page — and are not paid endorsements.

7. Cookie Categories & Consent

Cookie categories, third-party tags, and the consent mechanism are documented in /privacy-policy §4. Non-strictly-necessary cookies are gated behind explicit opt-in consent on the first visit, with symmetric Accept / Reject / Manage choices. The auto-generated, always-current cookie inventory is embedded in /privacy-policy.

8. Complaint Escalation

If you believe Streamrise has handled your personal data incorrectly:

1. Email the compliance contact in §1. We respond within five business days, with a substantive answer within 30 days.
2. If you are not satisfied with our response, you have the right to lodge a complaint with the data-protection authority in your country of residence. EEA / UK residents can find their lead supervisory authority via the European Data Protection Board (edpb.europa.eu) or the UK Information Commissioner's Office (ico.org.uk).
3. California residents can additionally contact the California Privacy Protection Agency (cppa.ca.gov).

Filing a complaint with a regulator is your statutory right and does not require, and is not affected by, contacting us first.

9. Policy Review Cadence

The policies referenced from this page are reviewed at least annually. We also re-issue them whenever there is:

• a material change to the personal data we collect or to the purposes for which we use it;
• a change in our subprocessor list that affects who receives personal data;
• a change in applicable law (EU, UK, US-state, or other jurisdictions where we have customers); or
• an incident whose post-mortem requires a clarifying policy revision.

The "Last updated" date at the top of each policy reflects the most recent revision. Material changes that reduce your rights will be communicated by email at least 14 days before the change takes effect.