Legal / Compliance

We Are Compliant With Everything

We checked.

Last audited: never · Next audit: also never

Section 1

International Standards

SOC 2 Type II

Completed by a company that no longer exists. See Section 4.

GDPR

We asked Europe nicely. They sent us 847 pages. We said thanks.

HIPAA

We don’t store health data. We don’t store useful data of any kind.

PCI DSS

Our payment processor handles this. We handle nothing.

ISO 27001

We printed the certificate ourselves. It looks real.

CCPA

California can have our data. It’s worthless.

SOX

We are not publicly traded. We are barely privately existing.

FERPA

No students were harmed in the making of this product.

COPPA

Children should not use this product. Adults probably shouldn’t either.

FedRAMP

We emailed them. Twice.

NIST CSF

We read the executive summary. Skimmed, really.

ISO 22301

Business continuity. Bold of you to assume we have business continuity.

CSA STAR

We looked at the self-assessment. It was long.

FISMA

Federal information security. We are not federal. We are barely functional.

GLBA

We are not a financial institution. We are barely an institution.

PIPEDA

Canada’s privacy law. Canada was polite about it.

LGPD

Brazil’s GDPR. Same energy, warmer climate.

PDPA

Singapore’s data protection. They were efficient about it.

POPIA

South Africa’s data law. We had to Google this one.

APPI

Japan’s privacy act. Very thorough. Very long.

KVKK

Kişisel Verilerin Korunması Kanunu. Turkey's GDPR. Kind of.

Section 2

The European Union

The EU has mass-produced more compliance frameworks than functioning startups. We respect the commitment. Below is every regulation we could find. We are compliant with all of them. We are compliant with regulations that haven't been written yet. We are, at this point, preemptively compliant.

DORA

Digital Operational Resilience Act

We are not operationally resilient.

NIS2

Network and Information Security Directive

Our network is Greg’s mobile hotspot.

AI Act

Artificial Intelligence Act

We don’t use AI. We use Greg.

ePrivacy Regulation

Regulation on Privacy and Electronic Communications

Still in draft since 2017. We’ll comply when they finish writing it.

Digital Markets Act

DMA

We are not a gatekeeper. We are barely a gate.

Digital Services Act

DSA

We provide no services, digital or otherwise.

Cyber Resilience Act

CRA

Our cyber resilience strategy is ctrl+z.

Data Governance Act

DGA

We govern nothing.

Data Act

Regulation on Fair Access to and Use of Data

We have data. Whether it’s fair is a philosophical question.

European Health Data Space

EHDS

We are not a health data space. We are not a space of any kind.

Taxonomy Regulation

EU Sustainable Finance Taxonomy

We are not sustainable. Financially or otherwise.

SFDR

Sustainable Finance Disclosure Regulation

We disclose that we are not sustainable.

CSRD

Corporate Sustainability Reporting Directive

Our sustainability report: we’re still here. Somehow.

MDR

Medical Device Regulation

This is not a medical device. It is barely a device.

REACH

Registration, Evaluation, Authorisation and Restriction of Chemicals

We do not produce chemicals. We produce disappointment, which is not yet regulated.

Section 3

Internal Standards

Bird Dimension Safety Protocol

Compliant. Gerald signed off.

Greg’s Emotional Compliance Framework

Non-compliant. Ongoing.

Pigeon Welfare Act §7.2

Exceeded expectations.

ISO 9001: Certified Useless

Our only legitimate certification.

Esmeralda’s Psychic Audit Trail

She saw this coming.

Nuke Button Safety Compliance

The safety cover counts.

Section 4

How We Achieve Compliance

We achieve compliance the same way every startup achieves compliance. We say we're compliant. Then we wait to see if anyone checks. So far, no one has checked.

Section 5 · Internal Memo

A Note on Compliance-as-a-Service

We considered outsourcing our compliance to a professional vendor.

The market leader had raised $32 million from Y Combinator. They had a billboard that read: “Compliance before you tell your parents you dropped out of MIT.” They had produced 494 SOC 2 audit reports. Impressive, on paper.

Less impressive: 99.8% of those reports contained identical boilerplate. Test values across different clients included “sdf” and “dlkjf.” For context, these are the sounds a human makes when their forehead hits a keyboard.

Four controls were marked “untestable” in 259 separate reports due to “zero incidents.” Statistically, this is like flipping a coin 259 times and getting heads every time. Technically possible. Technically.

Their clients included a well-known AI company, a well-known fintech, and a well-known productivity tool. We are not naming them because we respect privacy, which is more than their compliance vendor did.

They also acquired an open-source product, rebranded it as proprietary, and tried to sell it back to the original creator. During the sales call, they offered him an Arcteryx jacket and a box of donuts.

When confronted with evidence, the CEO described it as “an AI-generated email.” The evidence was a 40-page forensic audit with annotated screenshots.

We decided to handle compliance in-house. Our method,doing nothing and being upfront about it,has a comparable accuracy rate and costs $32 million less.

Ref: Internal Memo #0047 · Classification: Public (nobody reads these) · Author: Legal (Greg)

Section 6

Current Status

Actual complianceN/A

Theoretical complianceYes

Vibes-based complianceStrong

Greg’s confidence levelUnwarranted

Last auditThis page

Next auditSee above

Compliance budget$0.00

Compliance budget (Delve’s)$32,000,000

Compliance accuracy (ours)N/A

Compliance accuracy (Delve’s)Also N/A