Security & Compliance

The infrastructure that lets your team trust us with your customers' data.

Fill Easy is built for regulated financial institutions. That means ISO 27001 certification, licensed cross-border data transfer, PDPO and GDPR alignment, and government-direct sourcing — with no data aggregators in the chain.

✓ ISO 27001:2022✓ PIPL / CBDT Licensed✓ PDPO Compliant✓ GDPR Ready✓ Gov-Direct Sourcing

ISO 27001

ISO 27001:2022 Certified

International standard for information security management

Fill Easy is certified to ISO 27001:2022 — the globally recognised standard for Information Security Management Systems (ISMS). This means our security controls, risk management processes, and data handling practices have been independently audited and verified to meet the highest international benchmarks. Certification is reviewed annually by an accredited third-party auditor.

Key Details

Scope

All systems processing customer identity and corporate verification data

Standard

ISO/IEC 27001:2022

Audit cycle

Annual recertification + surveillance audits

Certificate available

On request for enterprise procurement

PIPL / CBDT

Licensed Cross-Border PII Transfer

Guangdong Cyberspace Authority — Standard Contract No. 202500031

China's Personal Information Protection Law (PIPL) requires any transfer of personal data between Mainland China and overseas (including Hong Kong) to be covered by a legal mechanism — either a security assessment, personal information protection certification, or a Standard Contract. Fill Easy holds a filed and approved Standard Contract under Article 38 of PIPL, issued by the Guangdong Cyberspace Authority. This licence covers all identity and corporate data transfers made through our platform for GBA cross-border use cases.

Key Details

Filing number

No. 202500031

Issuing authority

Guangdong Cyberspace Authority (CAC)

Legal basis

PIPL Art. 38 — Standard Contract mechanism

Data types covered

Individual identity, corporate registry, financial screening

Transfer direction

HK ⇄ Mainland China (GBA)

PDPO

Hong Kong PDPO Compliant

Personal Data (Privacy) Ordinance — Cap. 486

Fill Easy operates in full compliance with Hong Kong's Personal Data (Privacy) Ordinance (PDPO), Cap. 486. All personal data collected and processed through our platform is handled in accordance with the six Data Protection Principles, including lawful and fair collection, purpose limitation, data accuracy, retention limits, and security safeguards. We are registered as a data user under the PDPO where required.

Key Details

Framework

Personal Data (Privacy) Ordinance (Cap. 486)

Regulator

Office of the Privacy Commissioner for Personal Data (PCPD), HK

Principles met

All 6 Data Protection Principles

Data retention

Minimised — verification results held only for required audit period

GDPR

GDPR Ready

EU General Data Protection Regulation — for EU-connected data flows

Fill Easy has received a Business Development Grant from Malta Enterprise to establish an EU hub, and our data architecture is designed to support GDPR obligations for clients with EU-connected data flows. This includes data subject rights management, lawful basis documentation, data processing agreements (DPAs), and security measures aligned with Article 32 of the GDPR.

Key Details

DPA available

Yes — Data Processing Agreement on request

EU Hub

Malta (grant-funded — in progress)

Lawful bases

Legal obligation, legitimate interest, consent (as applicable)

Data subject rights

Access, rectification, erasure, portability supported

Security practices

How we protect data across our platform and infrastructure.

Encryption in transit & at rest

All data transmitted to and from Fill Easy endpoints is encrypted using TLS 1.2+. Data at rest is encrypted using AES-256.

No data aggregation or resale

Fill Easy queries government sources in real time and returns results directly to the requesting client. We do not build data profiles, resell data, or retain PII beyond the minimum required audit period.

Role-based access controls

Access to customer data within our systems is strictly role-based, with audit logs maintained for all access events. Least-privilege principles apply across all internal systems.

Penetration testing

Fill Easy conducts periodic third-party penetration tests against our API and web infrastructure. Critical findings are remediated within agreed SLAs.

Vendor & supply chain security

All third-party vendors with access to personal data are assessed against our security standards and required to sign data processing agreements.

Staff security training

All Fill Easy staff complete mandatory annual security awareness training and are bound by confidentiality obligations covering customer data.

Government-direct data sourcing

No data aggregators. No stale databases. No extra privacy risk.

Step 1

Your system

API request or Excel upload sent to Fill Easy endpoint

↓

Step 2

Fill Easy

Routes request to the appropriate government source in real time

↓

Step 3

Government source

iAM Smart, MPS, SAMR, Singpass, UAE Pass — live authoritative data

Important: Fill Easy does not store, aggregate, or resell personal data returned from government sources. Data is passed directly to the requesting client. Audit logs are retained in accordance with applicable law and our ISO 27001 ISMS policy.

Responsible disclosure

If you discover a security vulnerability in Fill Easy's systems, please report it to our security team directly. We review all submissions and respond within 5 business days.

security@fill-easy.com →

Enterprise procurement

Need our ISO 27001 certificate, DPA, security questionnaire responses, or penetration test summaries? Contact us and our compliance team will respond within 1 business day.

Contact compliance team →