FAQ
Frequently asked questions
Common questions from prospective and current clients. If your question is not answered here, write to team@getcheckmark.com.
Where is customer data hosted?
All customer data is hosted in AWS Dublin (primary) with backup in AWS Frankfurt. We do not transfer customer data outside the European Union. Our US subprocessor list is intentionally empty for tenant-data scope.
Are you SOC 2 compliant?
Yes. GetCheckmark holds SOC 2 Type II attestation, last completed in Q1 2026 by an independent assessor. The report is available to prospective and current customers under NDA via the trust centre.
What frameworks does the compliance reporting cover?
SOC 2 (CC1.4, CC2.2), ISO 27001:2022 (Annex A.6.3, A.6.5; clauses 7.2, 7.3), NIST CSF (PR.AT-1 through PR.AT-5), PCI DSS v4.0 (Req 12.6), DORA Article 13 Section 6 and supporting RTS, and GDPR Article 32. Custom mappings for sector-specific or internal frameworks are available as a professional-services engagement.
Can our auditor verify certificates directly?
Yes. Each tenant has a verification endpoint where third parties (auditors, regulators, customer due-diligence teams) can verify certificate validity using the verification key. The endpoint does not expose the underlying assessment content.
Do you integrate with our GRC tooling?
Yes. Native connectors are available for Archer, ServiceNow GRC, Diligent, and OneTrust. Generic CSV/JSON export is supported for other GRC platforms.
How is the platform priced?
Annual per-active-user pricing with three tiers (Standard, Enterprise, Regulated). The Regulated tier includes continuous-evidence mode, custom framework mapping support, and dedicated audit-coordination contact. Detailed pricing on our platform page.
Can we self-host?
No. GetCheckmark is a multi-tenant SaaS platform. Single-tenant cloud deployment is available for Regulated-tier customers with specific data-residency requirements; we deploy into a dedicated cloud account in the customer's preferred AWS region within the EU.
What is your incident-disclosure policy?
Material security incidents affecting customer data are disclosed to affected customers within 24 hours of confirmation, in line with the DORA expectations we apply to ourselves. Operational status is published on our public status page (status.getcheckmark.com).
Do you support languages other than English?
Yes. Platform UI and content are available in seven languages: English, Irish, French, German, Spanish, Italian, and Dutch. Content is natively produced in each language, not machine-translated.
What happens if we want to exit?
We do not charge exit fees. Customers can export all their certificates, evidence packs, and behavioural data through the platform API at any time during the contract; we provide structured export on contract conclusion. Standard data-retention windows post-exit are documented in the master agreement.
Are you compatible with works-council expectations?
Yes. Cohort-level analytics is the default; individual-level analytics is an explicit tenant opt-in. We provide template documentation for works-council consultation in the major European jurisdictions and accompany the consultation process via the customer-success team.
How do I get a walkthrough?
Use the contact form or write to team@getcheckmark.com. Walkthroughs are hands-on, 45 minutes, run by someone who can answer technical questions.