PLEASE READ THIS GENERAL COMPLIANCES POLICY CAREFULLY

OVERVIEW OF OUR PRIVACY POLICY

Color Card Administrator (CCA) is a privately held company headquartered in San Diego, California, United States. This Compliance Policy outlines the regulatory frameworks, security standards, and operational practices adopted by CCA to support lawful, fair, and transparent processing of data.

COMPLIANCE PHILOSOPHY

CCA is committed to maintaining a realistic, evidence-based compliance posture:

• We do not claim blanket or automatic certification under any regulation unless formally obtained.
  
• We align practices with applicable laws, but compliance depends on specific use, configuration, and customer implementation.
  
• We apply risk-based, proportional safeguards consistent with industry standards.
  
• We continuously improve compliance controls as business operations evolve.
  

APPLICABLE REGULATORY FRAMEWORKS

CCA aligns its operations with the following frameworks where applicable:

UNITED STATES PRIVACY LAWS

• California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
  
• Virginia Consumer Data Protection Act (VCDPA)
  
• Colorado Privacy Act (CPA)
  
• Other applicable U.S. state privacy laws
  

INTERNATIONAL REGULATIONS

• General Data Protection Regulation (GDPR) for EU/EEA users where applicable
  
• UK GDPR (where relevant)
  
• Applicable cross-border data transfer requirements
  

CHILDRENS DATA

• Childrens Online Privacy Protection Act (COPPA)
  

CCA does not knowingly collect data from children under 13 (or a higher age where required by applicable law) without verifiable parental consent.


DATA PROCESSING PRINCIPLES

CCA follows core privacy principles derived from global standards:

• Lawfulness, fairness, and transparency
  
• Purpose limitation
  
• Data minimization
  
• Accuracy
  
• Storage limitation
  
• Integrity and confidentiality
  
• Accountability
  

INFRASTRUCTURE & SUBPROCESSOR COMPLIANCE

CCA utilizes third-party infrastructure providers. While these providers maintain their own certifications, CCA does not claim to inherit or extend those certifications automatically.

HOSTING & INFRASTRUCTURE PROVIDERS

• OVH US Data Center & Infrastructure
  
• Amazon Web Services (AWS) US Regions
  
• Microsoft Azure US Regions
  

These providers generally maintain industry certifications such as:

• ISO 27001
  
• SOC 1 / SOC 2 / SOC 3
  
• PCI-DSS (where applicable)
  

CCA relies on these providers for infrastructure security but remains responsible for its own application-level controls and configurations.

DOMAIN & NETWORK PROVIDERS

• Enom (Domain Registrar) Domain management and registration
  
• Cloudflare, Inc. CDN, DNS, and security services (e.g., DDoS mitigation, WAF)
  

Cloudflare provides:

• Network-layer security controls
  
• Traffic filtering and caching
  
• TLS/SSL encryption support
  

Use of Cloudflare enhances security posture but does not constitute full compliance certification.

SECURITY CONTROLS

CCA implements administrative, technical, and organizational safeguards, including:

TECHNICAL SAFEGUARDS

• HTTPS/TLS encryption for data in transit
  
• Role-based access control (RBAC)
  
• Secure authentication mechanisms
  
• Firewall and traffic filtering (via Cloudflare and hosting providers)
  
• Regular patching and updates
  

ORGANIZATIONAL MEASURES

• Limited employee access based on job role
  
• Internal access controls and confidentiality obligations
  
• Vendor risk assessment (where applicable)
  

LIMITATIONS

• No system is 100% secure
  
• Security effectiveness depends on proper configuration and user practices
  

DATA TRANSFERS

• Data may be processed and stored in the United States
  
• For international users, transfers are conducted using:
  
  0 Standard Contractual Clauses (SCCs), where applicable
  0 Other lawful transfer mechanisms
  
  

DATA RETENTION & MINIMIZATION

CCA retains data only for:

• Operational necessity
  
• Legal obligations
  
• Dispute resolution and enforcement
  

Retention periods are defined in the Data Retention Policy and are applied proportionately.

USER RIGHTS & COMPLIANCE SUPPORT

Depending on jurisdiction, users may have rights including:

• Access to personal data
  
• Correction of inaccurate data
  
• Deletion (right to be forgotten)
  
• Data portability
  
• Opt-out of sale/sharing (if applicable)
  
• Restriction or objection to processing
  

Requests can be submitted via designated privacy contact channels.

COOKIE & TRACKING COMPLIANCE

CCA aligns with its Cookie Policy and Consent Framework:

• Uses consent-based cookie management where required
  
• Stores consent locally in user browsers (not server-side)
  
• Re-prompts users after consent expiration
  
• Provides opt-out mechanisms
  

THIRD-PARTY SERVICES & SDKS

CCA may integrate third-party services. For each:

• Only necessary data is shared
  
• Data processing is governed by vendor agreements
  
• Vendors act as independent controllers or processors as applicable
  

INCIDENT RESPONSE & BREACH NOTIFICATION

CCA maintains a structured response approach:

• Identification and containment of incidents
  
• Internal assessment and documentation
  
• Notification to affected users and regulators where legally required
  

COMPLIANCE LIMITATIONS

CCA explicitly states:

• It is not a certified compliance authority
  
• It does not guarantee regulatory compliance for customers
  
• Compliance depends on:
  
  o Customer usage
  o Configuration
  o Jurisdiction
  

UPDATES TO THIS POLICY

CCA may update this Compliance Policy to reflect:

• Regulatory changes
  
• Infrastructure updates
  
• Operational improvements
  

Updates will be posted with a revised effective date.

CONTACT INFORMATION

For compliance or privacy inquiries:

Color Card Administrator (CCA)
7898 Ostrow Street, Suite E
San Diego, CA 92111
United States

Click Here to contact us.