Compliance

Duff Cloud Services is a managed website and business-tools platform built on Microsoft Azure. This page describes our compliance posture honestly: what we operate ourselves, what we inherit from our infrastructure provider, and where responsibility is shared with you.

Built on a compliant foundation

DCS runs entirely on Microsoft Azure, which maintains independent certifications and attestations for its cloud infrastructure — including SOC 1/2/3, ISO 27001, PCI DSS, HIPAA/HITECH support, and FedRAMP. DCS is built on top of that foundation and inherits its security and availability benefits.

To be clear: those certifications belong to Microsoft Azure for the underlying infrastructure. DCS is a small, owner-operated platform and is not itself independently audited against those frameworks. We do not claim to hold SOC 2, ISO 27001, PCI DSS, FedRAMP, or similar certifications of our own. What we describe below are the controls and contractual commitments DCS actually operates.

Healthcare (HIPAA)

For customers offering healthcare-adjacent services, DCS is built to support HIPAA obligations: protected health information is masked from emails, SMS, push notifications, and kiosk displays; access to sensitive records is audit-logged; and a Business Associate Agreement (BAA) is available for healthcare-category accounts before any PHI is processed. Microsoft Azure provides BAA coverage for the underlying infrastructure. DCS is HIPAA-aligned — it is not a certified electronic medical record (EMR) system.

Payments (PCI DSS)

Payments on revenue-enabled sites are processed by Stripe, which is certified PCI-DSS Level 1. Customers enter card details directly into Stripe's hosted payment fields; DCS never receives or stores raw card numbers, which keeps DCS within the simplest PCI scope (SAQ-A). DCS verifies Stripe webhook signatures and stores only Stripe reference identifiers — never card data.

Data privacy

US state privacy laws (CCPA/CPRA and others)

DCS is designed to support consumer privacy rights — including access, correction, and deletion requests — and does not sell personal data. Each customer site is responsible for publishing a privacy policy describing the data it collects and the purposes for collection.

GDPR

For sites that serve visitors in the EU/EEA, DCS provides the technical measures that underpin GDPR compliance — encryption in transit and at rest, access control, data minimization, and breach notification. Establishing a lawful basis and capturing consent remain the responsibility of the site owner (the data controller).

Shared Responsibility Model

DCS operates as a managed platform. Compliance is a partnership: we secure the platform and provide compliant tools; you are responsible for how you use them and for your own legal obligations.

DCS provides

  • • Infrastructure & platform security on Azure
  • • Encryption in transit and at rest
  • • Access control, audit logging, and PHI masking
  • • Compliant consent & signature capture tools
  • • A BAA for healthcare-category accounts

You are responsible for

  • • Your site's privacy policy and terms content
  • • Lawful basis & consent for the data you collect
  • • Your industry licensing & obligations
  • • User & team access management
  • • Your own records-retention requirements

Questions about compliance

For compliance questions, a Business Associate Agreement request, or a vendor security questionnaire, contact us:

Email: legal@duffcloudservices.com