Merge pull request #543 from kinde-oss/docs/ccpa-cpra

Adding CCPA and CPRA to compliance page

Author: clairekinde11

src/assets/images/compliance/CCPACPRA.png

@@ -24,22 +24,24 @@ keywords:
   - "SOC 2"
   - "GDPR"
   - "HIPAA"
+  - "CCPA"
+  - "CPRA"
   - "CAIQ"
   - "MVSP"
   - "PCI-DSS"
   - "certification"
   - "security"
-updated: "2025-01-27"
+updated: "2025-08-26"
 featured: false
 deprecated: false
-ai_summary: "Overview of Kinde's compliance certifications and security frameworks including ISO 27001, SOC 2 Type 2, GDPR, HIPAA, CAIQ, MVSP, and PCI-DSS compliance status."
+ai_summary: "Overview of Kinde's compliance certifications and security frameworks including ISO 27001, SOC 2 Type 2, GDPR, HIPAA, CCPA, CPRA, CAIQ, MVSP, and PCI-DSS compliance status."
 ---
 
 Kinde takes data privacy and security very seriously. We want you to trust us and our systems, which is why we engaged in external certification audits and conducted self assessments against globally recognized privacy and security frameworks to ensure our technology infrastructure and your data are kept secure.
 
 ## **ISO 27001**
 
-![ISO and ISO 27001 logos](@assets/images/compliance/ISO.png)
+![ISO and ISO 27001 logos](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/6a57d6a4-8291-4b37-4449-6c38b010bf00/public)
 
 Kinde is [ISO 27001:2022](https://www.iso.org/standard/27001) certified by [Compass Assurance Services](https://cas.com.au/) and maintains an information security management system (ISMS) with a dedicated internal security team. Our public listing is available on the [JASANZ certified organizations register](https://register.jasanz.org/certificate-details/0/af0526d5-c2d8-ed11-a7c7-00224818a490) and the [IAF CertSearch register](https://www.iafcertsearch.org/certified-entity/WrSSvBtTuGl9ks9O9oyp30SO).
 
@@ -49,7 +51,7 @@ ISO 27001 specifies the requirements for establishing, implementing, maintaining
 
 ## SOC 2 Type 2
 
-![AICPA and SOC2 logos](@assets/images/compliance/SOC2.png)
+![AICPA and SOC2 logos](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/99302f85-bdd0-482d-5e7e-caafb52bb900/public)
 
 Kinde has completed a SOC 2 Type 2 with report and attestation from [AssuranceLab](https://www.assurancelab.cpa/).
 
@@ -61,7 +63,7 @@ A [SOC 2 examination](https://www.aicpa-cima.com/topic/audit-assurance/audit-and
 
 ## GDPR
 
-![GDPR logo](@assets/images/compliance/GDPR.png)
+![GDPR logo](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/64af5136-0785-402d-66b9-e6e3f3b8e000/public)
 
 Kinde is compliant with the GDPR and supports our customers by maintaining strict privacy principles as a Data Processor.
 
@@ -71,34 +73,49 @@ More information about the GDPR and what Kinde does for comply with it can be fo
 
 ## HIPAA
 
-![HIPAA and AssuranceLab HIPAA logos](@assets/images/compliance/HIPAA.png)
+![HIPAA and AssuranceLab HIPAA logos](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/88d46614-1631-48ae-fcf4-a0ee7c121c00/public)
 
 Kinde is HIPAA compliant and supports our customers as a Business Associate. Reach out to our team if you need a Business Associate Agreement in place before working with us.
 
 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law on how to protect sensitive health information, known as Protected Health Information (PHI), which led to the creation of the Privacy Rule and Security Rule. It has since been updated with additional rules and supplemented by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009.
 
+More information about HIPAA can be found on the US Department of Health and Human Services's [health information privacy](https://www.hhs.gov/hipaa/index.html) page.
+
+## CCPA and CPRA
+
+![CCPA and CPRA logos](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/ffc476f3-6b5f-43ac-8406-d6ab5dce8100/public)
+
+Kinde is compliant with the CCPA (as amended by the CPRA) and supports our customers by maintaining strict privacy principles.
+
+The California Consumer Privacy Act (CCPA) gives consumers more control over the personal information that companies collect about them. The law took effect on January 1, 2020 (its initial regulations were approved on August 14, 2020) and applies to companies targeting or collecting data related to California residents. An amendment—the California Privacy Rights Act (CPRA)—expanded the CCPA’s scope; it became legally effective on December 16, 2020, most substantive provisions became operative on January 1, 2023 (with a look-back to data collected on or after January 1, 2022), and formal enforcement began July 1, 2023.
+
+More information can be found on the California Attorney General’s [CCPA/CPRA page](https://oag.ca.gov/privacy/ccpa) and the California Privacy Protection Agency’s website.
 ## **CAIQ v4**
 
-![CAIQ self-assessment badge](@assets/images/compliance/CAIQ.png)
+![CAIQ self-assessment badge](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/ae7254c4-4fa9-4542-be17-86a2a3382d00/public)
 
 Kinde has completed a [Consensus Assessments Initiative Questionnaire (CAIQ)](https://cloudsecurityalliance.org/star/registry/kinde/services/kinde/) from the Cloud Security Alliance and submitted to their public STAR registry as a Level 1 self-assessment.
 
 Founded in 2013 by the Cloud Security Alliance, the Security Trust Assurance and Risk (STAR) registry encompasses key principles of transparency, rigorous auditing, and cloud security and privacy best practices.
 
 ## MVSP
 
-![MVSP logo](@assets/images/compliance/MVSP.png)
+![MVSP logo](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/c20625e4-2acf-43c4-e42e-66b853cafd00/public)
 
 Kinde has completed a Minimum Viable Secure Product (MVSP) self-assessment and implemented all recommended controls. Reach out to our team if you need to review our responses or have questions about specific controls.
 
 MVSP is a list of essential application security controls that should be implemented in enterprise-ready products and services. The controls are designed to be simple to implement and provide a good foundation for building secure and resilient systems and services.
 
+More information about MVSP can be found at the [Minimum Viable Secure Product](https://mvsp.dev/) website.
+
 ## PCI-DSS
 
-![PCI logo](@assets/images/compliance/PCI.png)
+![PCI logo](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/8358875d-ac43-43d3-f794-3d72bf3f1800/public)
 
 Please note that Kinde does not hold a PCI-DSS Report on Compliance (ROC) from a Qualified Security Assessor (QSA).
 
 In preparation for Kinde’s upcoming customer billing feature, we have engaged with a QSA to validate our scoping and we are preparing the necessary Self Assessment Questionnaire (SAQ) to meet the PCI-DSS requirements for processing cardholder data. Currently we use a third party service provider and their SAQ-A scoped method, which greatly reduces the scope that Kinde has to meet as a PCI-DSS Service Provider.
 
 Our SAQ and Attestation of Compliance (AOC) will be available when scoping work is completed and will transition to a Level 1 Service Provider when the necessary transaction volume is reached.
+
+More information about PCI can be found at the [PCI Security Standards Council](https://www.pcisecuritystandards.org/) website.