When we announced our SOC 2 Type II compliance, it marked an important milestone. We’ve continued building on that foundation and are proud to share that Subtotal is now ISO 27001 certified and aligned with GDPR requirements.

These milestones bring our security and privacy program in line with global standards, giving the brands, developers, and partners building on Subtotal confidence that their data is protected wherever they operate.

What Are ISO 27001 and GDPR?

ISO 27001 is the leading global standard for information security management systems (ISMS). It evaluates whether a company has established a systematic, risk-based approach to protecting the information it holds. Certification involves a two-stage independent audit: the first confirms that controls are correctly designed and documented; the second verifies they are operating effectively in practice. From there, annual surveillance audits ensure the standard is maintained.

GDPR, the General Data Protection Regulation, is a law that protects the data and privacy of individuals residing in the European Union. Unlike SOC 2 or ISO 27001, which are voluntary certifications, GDPR is a legal requirement. It applies to every organization, anywhere in the world, that processes the personal data of EU residents. To achieve compliance, we conducted a thorough self-audit to assess our operations and technology against GDPR requirements.

In practical terms, achieving both means:

• We operate a formally certified information security management system, independently audited and verified against the highest international standard.
• We are committed to processing personal data in accordance with GDPR, with controls in place to handle data lawfully, transparently, and in a way that respects the rights of both our customers and individual shoppers.
• External auditors have reviewed and tested our controls across all areas of the business.
• We are committed to ongoing monitoring and annual recertification, so you can move forward knowing your information is safe with Subtotal.

Why We Decided To Do This Now

SOC 2 Type II established our operational baseline in North America. ISO 27001 and GDPR extend that foundation globally.

The brands we work with operate across markets, and the data we handle sits at the center of how they build relationships with their shoppers. We chose to meet global security and privacy standards early—before they became requirements—so our partners can move quickly without running into compliance friction.

How We Got Here

The process was driven by a significant amount of focused work from our team. For GDPR, that meant mapping our data processing activities, establishing lawful bases, and ensuring our supplier relationships met the required standard. For ISO 27001, it meant conducting a comprehensive risk assessment, formalizing controls across domains, and completing a multi-stage certification audit with Advantage Partners.

As with SOC 2, we used Vanta throughout to manage evidence and continuously monitor our controls.

The result is a stronger foundation for Subtotal and a compliance posture that holds up anywhere in the world.

What This Means for You

Built for global use cases. Subtotal is designed to let shoppers securely share their retail purchase data with the brands they choose. ISO 27001 and GDPR ensure that data is handled in line with the expectations of global brands and regulators, so you can build experiences that work across markets.

Fewer blockers as you scale. As brands expand internationally, security and privacy requirements become more complex. With ISO 27001 certification and GDPR-aligned practices in place, Subtotal is ready to meet those requirements upfront, so we can grow with you.

Stronger foundations for data-driven experiences. Subtotal depends on the trust of brands, retailers, and shoppers. These standards reinforce that trust by ensuring data is handled securely and in accordance with global expectations.

Where We Go From Here

As with SOC 2, this isn’t the end of the process. We’ll continue to evolve our security and privacy program as Subtotal grows, building on the foundation we’ve established and ensuring we meet the standards our customers rely on.

We’re grateful to our team, partners, and customers for their continued trust as we keep building Subtotal.