← Legal & compliance

Legal & compliance

Sign in

Draft administrative policies

  • Subject to attorney review before commercial launch — not legal advice or a binding contract until published by the operator.
  • No certification claims: not SOC 2, HIPAA, PCI DSS, or bank-level certified.
  • Billing: subscription status may be shown; payment card numbers are not stored in the application database.
  • Support access: vendor staff cannot access your tenant silently; tenant OWNER approval is required for time-boxed support sessions.

Check Designer — Compliance & Legal Policy Index (Draft)

Status: Draft administrative documentation for a future SaaS launch. Effective: Not in effect until published by the service operator and linked from the product. Legal review: Subject to attorney review before any commercial use, customer contract, or in-app display.

Purpose

This index lists customer-facing and operator-facing policy documents for Check Designer. They describe current implemented behavior as of the draft date. They are not legal advice and do not create warranties, certifications, or compliance guarantees.

Policy documents

DocumentAudienceSummary
TERMS_OF_SERVICE.mdCustomers / tenant usersAcceptable use, account responsibilities, service scope, disclaimers
PRIVACY_POLICY.mdCustomers / data subjectsCategories of data, purposes, sharing, rights, export/deletion requests
DATA_RETENTION_POLICY.mdCustomers / operatorsRetention periods; operational vs formal export; deletion/redaction
SUPPORT_ACCESS_POLICY.mdCustomers / support staffNo silent access; OWNER-only approval; explicit activation; 24h max
SECURITY_POLICY.mdCustomers / operatorsEncryption, access control, audit, sensitive check/bank data
BACKUP_RESTORE_POLICY.mdCustomers / operatorsBackup scope, operator restore, customer export limits
INCIDENT_RESPONSE_POLICY.mdCustomers / operatorsReporting, containment, notification placeholders
ACCOUNT_DELETION_REQUEST_POLICY.mdCustomersManual export/deletion/redaction request process

In-app access (draft)

LocationContent
`/legal`Policy index (this document rendered)
`/legal/*`Individual policy pages
Settings → Legal & compliancePolicy links + Data export / deletion requests summary (2P-C)
Login footerLinks to legal index, privacy, terms

Policies display a draft banner. No certification claims (SOC 2, HIPAA, PCI, etc.).

Data export / deletion requests (2P-C summary)

ItemStatus
Self-service tenant hard-deleteNot implemented
Automated backup purge on requestNot implemented
OWNER/ADMIN request guidanceSettings panel + `ACCOUNT_DELETION_REQUEST_POLICY.md`
Operator manual review workflowDocumented only
Future ticket/export/redaction automationPlanned, not built

Related technical runbooks (not customer contracts)

DocumentPurpose
`BACKUP_RESTORE_RUNBOOK.md`Server backup/restore procedures
`RESTORE_AND_RECOVERY.md`Emergency recovery steps
`SUPER_ADMIN_PLAN.md`Platform operator and support-access design
`SUPPORT_ACCESS_IMPLEMENTATION_REVIEW.md`Internal policy-vs-code alignment (2P-D) — not an in-app `/legal` page
`COMPLIANCE_LEGAL_FINAL_REVIEW.md`Phase 2P-E final review and route checklist
`BILLING_PLAN.md`Subscription foundation (Stripe not live)

What these policies do not claim

  • No SOC 2, HIPAA, PCI DSS, or bank-level certification
  • No attorney-reviewed or legally binding status until counsel approves and the operator publishes
  • No guarantee of uninterrupted service, perfect security, or error-free printing
  • No representation that Stripe or live payment processing is active (billing foundation only)

Before commercial launch (checklist)

  • [ ] Attorney review of all policies in this index
  • [ ] Operator legal entity, jurisdiction, and contact details finalized
  • [ ] Replace placeholder emails (*privacy@example.com*, *support@example.com*)
  • [ ] Data Processing Agreement / subprocessors list if required by counsel
  • [ ] Align published policies with actual deployment (hosting region, backup retention, subprocessors)
  • [ ] Decide whether in-app request forms or ticketing are required (not in 2P-C)

Phase scope confirmation

PhaseScope
2P-APolicy markdown drafts
2P-B`/legal` static pages + navigation links
2P-CExport/deletion request process documentation + Settings guidance (read-only)
2P-DSupport access policy ↔ implementation alignment (`SUPPORT_ACCESS_IMPLEMENTATION_REVIEW.md`)
2P-EFinal compliance/legal review (`COMPLIANCE_LEGAL_FINAL_REVIEW.md`) — Phase 2P complete (draft; attorney review required)

No changes in Phase 2P (2P-A–E) to: database schema, automatic deletion, backup scripts, encryption format, print/MICR, support access runtime logic, billing enforcement, platform permissions, auth behavior (except public `/legal` routes).

Commercial launch: Policies are not attorney-reviewed. Do not treat as binding until counsel approves and the operator publishes.

Last updated: 2026-05-28