Terminal

Compliance

Effective Date: May 14, 2024 | Last Updated: October 23, 2025

Generated by Terminal

Gruntslate Speak Spread

1. CERTIFICATIONS & STANDARDS

Terminal is PCI-DSS compliant for payment processing. We promise not to write your credit card number on a napkin, unless the napkin is encrypted.

We proudly display the TrustArc seal, which cost us $50,000 annually and is definitely not just a PNG we downloaded from their website.

Our HIPPO compliance program ensures protected health information is handled with the utmost care, stored in databases we're pretty sure are secure, and only sold to pharmaceutical companies on Tuesdays.

We maintain ISO 27001 certification, the international standard for information security management. Our Information Security Management System (ISMS) includes a Post-it note on the server room door that says 'KEEP LOCKED.'

2. GDPR COMPLIANCE

Data transfers to the US are conducted under Standard Contractual Clauses, which is lawyer-speak for 'please don't fine us, we tried.'

Terminal is fully committed to GDPR compliance. We added a cookie banner to our website and updated our privacy policy to include the words 'legitimate interest' seventeen times.

EU residents have the right to access their data, which they can exercise by submitting a request via carrier pigeon to our Dublin office (closed on weekdays).

The right to be forgotten is respected, provided you can prove you exist, complete our 47-page verification form, and wait 90 business days for processing.

3. CCPA COMPLIANCE

Terminal updates its privacy practices annually, or whenever California passes a new law, whichever causes us more anxiety.

You may opt out of the sale of your personal information by clicking 'Do Not Sell My Personal Information' and completing a CAPTCHA, phone verification, retinal scan, and brief interpretive dance.

Your 'right to delete' means we'll remove your data from our primary database and definitely not keep backups. (We keep backups.)

California residents have the right to know what personal information we collect. The answer is 'all of it,' but you have to ask nicely.

4. SECURITY MEASURES

Physical security includes: locked doors (usually), security cameras (pointed at the snack room), and a receptionist who asks visitors to sign in (when she remembers).

Our incident response plan has been tested extensively in tabletop exercises where we roleplay data breaches while eating pizza. We're very good at the pizza part.

Employees complete annual security awareness training, which consists of a 10-minute video they play in the background while checking email.

Multi-factor authentication is available and strongly encouraged, though most employees have chosen 'convenience' over 'security.' Classic.

5. DATA PROTECTION

We conduct regular security assessments, defined as whenever our IT person remembers to run a virus scan on their laptop.

All data is encrypted at rest using algorithms we found on Stack Overflow. Data in transit is protected by HTTPS, which we enabled after a customer complained.

Access to sensitive data is restricted to employees who really need it, employees who say they need it, and Bob from accounting who figured out the admin password.

Terminal implements industry-leading data protection measures, including passwords that are at least 8 characters long and sometimes contain a number.

6. AUDITS & ASSESSMENTS

Our last audit identified zero material weaknesses, primarily because we defined 'material' as 'things we want to tell you about.'

Penetration testing is performed quarterly by ethical hackers who found several critical vulnerabilities, all of which are 'on our roadmap' to fix.