Trust & Transparency

Compliance & Certifications

AntiMatter AV is designed and operated in alignment with international security standards, privacy regulations, and product safety requirements. This page details our compliance framework.

ISO 27001 Aligned ISO 27701 Aligned GDPR Compliant CCPA/CPRA Compliant EU CRA Ready CE Mark Ready CIS Benchmarks SBOM Available

International Security & Quality Frameworks

ISO/IEC 27001 & 27002

Information Security Management

AntiMatter AV's information security management system (ISMS) is designed in alignment with ISO 27001 requirements. Our controls cover:

  • Risk assessment and treatment methodology
  • Access control and user authentication (JWT + bcrypt)
  • Cryptographic controls (SHA-256, TLS 1.3, AES)
  • Incident management and response procedures
  • Business continuity planning
  • Supplier relationship security (ISO 27002 Annex A)

ISO/IEC 27701

Privacy Information Management

Our privacy management extends ISO 27001 with PIMS (Privacy Information Management System) controls:

  • Privacy impact assessments for all features
  • Data subject rights management (access, erasure, portability)
  • Lawful processing and consent management
  • Third-party data processing controls
  • Cross-border data transfer safeguards

CIS Benchmarks

Center for Internet Security

AntiMatter AV's server infrastructure and application configuration follow CIS Benchmark guidelines:

Server Hardening

PostgreSQL, Node.js, and Nginx configured per CIS Level 1 benchmarks

Network Security

TLS 1.3 enforcement, CORS policies, rate limiting, firewall rules

Application Security

Parameterized queries, input validation, secure authentication flows

Regional Data Protection & Privacy Laws

GDPR (European Union)

General Data Protection Regulation

  • Lawful Basis: Contract performance (license agreement) and legitimate interest (security protection)
  • Data Minimization: Only license key, HWID, threat counts collected. No personal files scanned remotely.
  • Right to Erasure: Users can request complete data deletion via customer portal
  • Data Portability: Export user data in machine-readable JSON format
  • DPO: Data Protection Officer designated for GDPR oversight
View Data Processing Agreement →

CCPA / CPRA (United States)

California Consumer Privacy Act

  • Right to Know: Full disclosure of data categories collected
  • Right to Delete: Account and data deletion upon request
  • No Sale of Data: AntiMatter AV does not sell personal information to third parties
  • Non-Discrimination: No service degradation for exercising privacy rights
  • Opt-Out: Users can opt out of non-essential telemetry

LGPD (Brazil)

Lei Geral de Proteção de Dados

  • Legitimate purpose for all data processing
  • Transparent data handling practices
  • Data subject access and correction rights
  • Anonymization and pseudonymization of personal data

PIPL (China)

Personal Information Protection Law

  • Informed consent for data collection
  • Purpose limitation — data used only for security protection
  • Data localization readiness for Chinese market deployments
  • Cross-border data transfer impact assessment

Product Safety & Cybersecurity Regulations

EU Cyber Resilience Act (CRA)

Regulation (EU) 2024/2847 — Products with Digital Elements

Classification & Conformity

  • Class I Product: AntiMatter AV is classified as a Class I "product with digital elements" (antivirus/endpoint security)
  • Conformity Assessment: Self-assessment with technical documentation
  • Secure-by-Default: All features enabled with secure settings out of the box
  • CE Marking: Declaration of conformity maintained for EU market access

Vulnerability & Lifecycle Management

  • 24-Hour Reporting: Actively exploited vulnerabilities reported to ENISA within 24 hours
  • SBOM: Complete Software Bill of Materials available at /api/sbom
  • End-of-Support: Clear lifecycle dates published for each version
  • Security Updates: Free security patches for minimum 5 years post-release

Technical & Operational Requirements

Automated Updates

Virus definitions and threat signatures update automatically:

  • Delta updates every 6 hours (bandwidth-efficient)
  • Full definition sync on first install
  • Versioned definitions with rollback capability
  • Admin-managed signature uploads with audit trail

Real-time Scanning & EDR

Endpoint Detection and Response capabilities:

  • Real-time file system monitoring (create, modify, delete events)
  • SHA-256 hash-based threat detection with cached smart scanning
  • Automated quarantine of detected threats
  • Network traffic monitoring and firewall (VPN-based on Android)
  • Full disk scan across all mounted drives (Windows)

Secure Coding Practices

SQL Injection Prevention

All database queries use parameterized statements ($1, $2, ...). Zero string concatenation in SQL.

Input Validation

All API inputs validated for type, length, and format before processing. Content-Type enforcement.

Authentication & Authorization

JWT tokens with bcrypt password hashing. Role-based access control (RBAC) for admin/reseller/user.

Consumer & Ethical Compliance

CMA Guidelines (UK)

Subscription Fairness

  • Clear, upfront pricing with no hidden fees
  • Easy cancellation — no complex exit processes
  • Renewal reminders sent before subscription expiry
  • No service degradation during cancellation period

Data Minimization

Privacy by Design

  • Only essential PII retained: email, license key, device identifier
  • All file scans performed locally — no files uploaded to servers
  • Telemetry limited to: definition version, threat count, scan status
  • Location tracking only for parental controls with explicit consent

International Release Checklist

Compliance Area Key Requirement Status
Governance ISO 27001 Alignment ✓ Aligned
Data Protection GDPR / CCPA Compliance ✓ Compliant
Product Security EU Cyber Resilience Act (CRA) & CE Mark ✓ Ready
Technical Automated Signature Updates (Every 6 Hours) ✓ Active
Technical Real-time Scanning & EDR Capabilities ✓ Active
Documentation Software Bill of Materials (SBOM) ✓ Published
Transparency Clear End-of-Support Dates ✓ Published

Related Documents

Security Whitepaper

Technical architecture & secure coding practices

Data Processing Agreement

GDPR DPA, data categories & subject rights

Vulnerability Disclosure

Responsible disclosure policy & reporting

SBOM

Software Bill of Materials (CycloneDX)

Privacy Policy

Data handling & user rights

Terms & Conditions

Service terms & license agreement

Questions About Compliance?

Contact our compliance team for inquiries, data subject requests, or vulnerability reports.

Email: [TO BE UPDATED]
Phone: [TO BE UPDATED]
Address: [TO BE UPDATED]