Compliance roadmap
Last updated: May 1, 2026
To be clear: we are not yet a certified eFTI platform. We are an eFTI-data-conformant extraction layer — we take a paper or photo CMR and return a structured JSON / XML payload aligned with Regulation (EU) 2020/1056 and Commission Delegated Regulation (EU) 2024/2024. Customers can hand that data to any certified eFTI platform once they choose one in 2027. Our own certification path is below.
Certification path
- eFTI Common Data Set conformance ✓
- GDPR Art. 28 Data Processing Agreement (DPA) ✓
- EU servers — Frankfurt (Vercel + Supabase eu-central-1) ✓
- Apply for ISO 27001 lite attestation
- Engage Lithuanian counsel for terms + DPA review cycle
- Apply for eFTI Platform certification when the EC opens applications
- Target — full certified eFTI Platform
- Target — SOC 2 Type II if customer base demands it
Sub-processors
Full list with purpose, transfer mechanism, and last-updated date is on the sub-processors page.
Data residency
Original CMR documents (images, PDFs) are stored in the EU only — Vercel Blob and Supabase eu-central-1 (Frankfurt). JSON and derived data may transit OpenAI in the US during extraction — a transfer impact assessment (TIA) is in progress; we rely on SCCs (Module 2) and the OpenAI Enterprise DPA. Our roadmap includes an EU-only extraction tier that removes this transfer entirely.
Customer rights
Full rights under GDPR Articles 12–22 — access, rectification, erasure, portability, and objection — are exercised through the dashboard or by email. After cancellation we keep a 30-day export window: you can download all of your data as JSON / CSV / eFTI XML. After that window your data is permanently deleted.
Contact
Compliance questions — dpo@ecmrcapture.com (operator alias). We reply within 30 days.