Compliance

Your data never leaves your cloud

Sampleless deploys entirely within your cloud environment. Your telemetry data is collected, processed, stored, and queried inside your VPC. This architecture keeps the heaviest compliance obligations where they belong: within your existing environment.

SOC 2
In Progress
HIPAA
BAA Available
SEC 17a-4
Supported
PCI DSS
Supported

Full data custody

Instead of trusting a third-party vendor with your data, you retain full custody. Your existing cloud provider agreements, IAM policies, encryption configurations, and network controls remain the foundation of your compliance posture.

Sampleless extends your observability capabilities without expanding your data exposure.

Your VPC
Data Location
Your KMS
Encryption Keys
Your IAM
Access Control
Your Rules
Network

Shared Responsibility Model

Compliance is shared between Sampleless, your organization, and your cloud provider. Our BYOC architecture keeps data custody with you.

Sampleless

  • Secure software development lifecycle
  • Supply chain security
  • Control plane security (no telemetry transmitted)
  • Business Associate Agreements
  • Incident response procedures

Your Organization

  • IAM policies and network configuration
  • VPC isolation and encryption settings
  • Access control to dashboards
  • Retention policy configuration
  • Data classification

Cloud Provider

  • Physical security and data centers
  • Infrastructure availability (SLA)
  • Platform compliance certifications
  • Hardware lifecycle management

Regulatory Framework Support

Our dual-write pipeline (queryable analytics alongside immutable archival storage) supports both real-time access and tamper-proof long-term retention.

These are architectural capabilities that support your compliance program, not a claim that Sampleless alone satisfies any regulatory framework.

Financial Services

SEC 17a-4(f)

Non-rewriteable, non-erasable record retention via S3 Object Lock Compliance Mode.

FINRA 4511(c)

Defers to SEC 17a-4(f) requirements. Covered by same Cohasset assessment.

CFTC 1.31

Technology-neutral record retention. Covered by Cohasset assessment.

Healthcare & Privacy

HIPAA

Six-year retention, audit log integrity. BAA available for covered entities.

SOX

Seven-year retention for financial records in tamper-proof formats.

Security Standards

PCI DSS Req. 10

Tamper-proof audit trails, one-year retention, 90 days queryable.

SOC 2 Type II

Building controls from day one. Formal attestation planned as we scale.

Immutable Archival Storage

Sampleless writes telemetry to cloud-native immutable storage: AWS S3 Object Lock, Azure Immutable Storage, or GCP Bucket Lock. Protected objects cannot be overwritten or deleted until retention expires.

These storage services have been independently assessed by Cohasset Associates for SEC, CFTC, and FINRA compliance.

Retention Periods
PCI DSS1 year (90 days queryable)
SEC 17a-43–6 years
FINRA / CFTCPer SEC schedule
HIPAA6 years
SOX7 years
Bucket-level policy configurations. One deployment supports all requirements.

Questions

Questions about compliance?

We can complete your vendor security questionnaire, walk through our architecture with your compliance team, or discuss BAA execution.

Contact security@sampleless.ioSecurity Overview