Skip to main content
US-UK · Cross-Border · Multi-Jurisdiction

AI-Powered Compliance Intelligence for US-UK Businesses

CCPA | HIPAA | SOC 2 | UK GDPR — cross-border compliance for companies operating across the Atlantic.

US Regulatory Landscape

Federal, state, and sector-specific regulations — plus UK cross-border requirements

CCPA / CPRA

California — 40M+ consumers

California Consumer Privacy Act and California Privacy Rights Act compliance. Consumer data rights management, opt-out mechanisms, and automated DSAR handling for businesses serving California residents.

HIPAA

Health data — federal

Health Insurance Portability and Accountability Act compliance for covered entities and business associates. PHI safeguards, breach notification, and BAA management.

SOC 2 Type II

Trust services criteria

SOC 2 Type II certification pathway with automated evidence collection across Security, Availability, Processing Integrity, Confidentiality, and Privacy criteria.

FTC Act Compliance

Federal Trade Commission

Section 5 unfair and deceptive practices prevention. Data security standards, privacy policy compliance, and FTC consent order monitoring.

State Privacy Law Tracker

15+ state laws and counting

Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, and more. Our tracker monitors all active and pending state privacy legislation in real time.

UK-US Data Bridge

Post-Schrems II framework

Navigate the UK Extension to the EU-US Data Privacy Framework. Automated transfer impact assessments, Standard Contractual Clauses management, and Data Bridge certification.

The State Privacy Patchwork

With 15+ state privacy laws enacted and more pending, US compliance is a moving target. Our platform tracks every state law in real time.

California

CCPA/CPRA

Active

Virginia

VCDPA

Active

Colorado

CPA

Active

Connecticut

CTDPA

Active

Utah

UCPA

Active

Texas

TDPSA

Active

Oregon

OCPA

Active

Montana

MCDPA

Active

+ 7 more states with active privacy laws tracked by our platform

Who We Serve

Purpose-built for businesses navigating US-UK cross-border compliance

US Companies with UK Operations

American businesses operating in the UK face dual compliance requirements: US federal and state laws plus UK GDPR, NIS2, and ICO regulations. Our platform provides a unified view.

Tech companiesFinancial servicesPharmaProfessional services

UK Companies Expanding to the US

British companies entering the US market need to navigate a patchwork of state privacy laws, federal regulations, and sector-specific requirements like HIPAA and SOC 2.

SaaS providersFintechHealthtechE-commerce

US Companies Using HumanBaseIQ

US employers using our HumanBaseIQ recruitment platform benefit from built-in EEOC compliance, HIPAA-relevant safeguards for health data, and state-by-state ban-the-box tracking.

Enterprise HRStaffing agenciesHealthcare hiringRemote-first companies

UK-US Data Bridge

The post-Schrems II framework for transatlantic data transfers

The UK Extension to the EU-US Data Privacy Framework enables compliant data transfers between the UK and US. Our platform automates transfer impact assessments, manages Standard Contractual Clauses, and monitors ongoing compliance with the Data Bridge requirements.

Transfer Assessments

Automated TIA for every data flow

SCC Management

Template library and tracking

Ongoing Monitoring

Real-time framework change alerts

UK Registered LtdICO ZC112810Companies House 16419201SOC 2 PathwayHIPAA CompliantUK-US Data Bridge

Check Your US-UK Compliance Gaps

Take our free assessment and discover where your organisation stands across CCPA, HIPAA, SOC 2, and UK GDPR requirements.

No credit card required. Results in under 5 minutes.

Frequently Asked Questions

CCPA, HIPAA, SOC 2 & UK GDPR — practical answers

Sourced from oag.ca.gov, HHS.gov, AICPA Trust Services Criteria and UK ICO — not marketing.

What is the difference between CCPA and CPRA?

The California Consumer Privacy Act (CCPA, 2018) was amended and expanded by the California Privacy Rights Act (CPRA, 2020), which became fully operative 1 January 2023. CPRA added the concept of "sensitive personal information", extended consumer rights (right to correct, right to limit use of sensitive data), created the California Privacy Protection Agency (CPPA), and raised civil penalties to $7,500 per intentional violation or violation involving minors.

Does SOC 2 apply to small US companies?

SOC 2 is not a legal mandate — it is an AICPA attestation framework. However, it is commonly required by enterprise customers and increasingly by mid-market US and UK procurement. SOC 2 Type I (design) and Type II (operating effectiveness over 3-12 months) each demonstrate controls against Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.

When do HIPAA requirements apply to a US business?

HIPAA applies to "Covered Entities" (healthcare providers billing electronically, health plans, healthcare clearinghouses) and their "Business Associates" (vendors handling Protected Health Information on their behalf). A Business Associate Agreement (BAA) is mandatory before sharing PHI. Violations tier from $100 to $50,000 per record (2024 HHS tier caps) with an annual cap of $1.5M per identical violation.

How do UK companies with US customers handle cross-border data transfer?

Transfers from UK to US must satisfy UK GDPR Chapter V requirements. Following the EU-US Data Privacy Framework (July 2023) and the UK Extension (October 2023), US companies self-certified under the DPF can receive UK personal data without additional Standard Contractual Clauses. For non-DPF recipients, UK International Data Transfer Agreement (IDTA) or Addendum to EU SCCs is required, plus a Transfer Risk Assessment (TRA).

Does US SBH pricing differ from UK pricing?

Core SaaS pricing is listed in GBP (£). US customers may be invoiced in USD at prevailing Wise Business rates or in GBP with no hidden conversion margin. SummitBridge Horizon Ltd is a UK-registered company (Companies House 16419201); US customers generally treat our services as imported services for tax purposes. No sales tax or VAT is added — SBH is currently below the £90,000 UK VAT threshold.

Can UK-registered SBH serve highly regulated US industries?

Yes for general compliance consulting, SaaS tooling, and SOC 2 preparation. For sectors with US data residency requirements (e.g., DoD CMMC, FedRAMP High, certain HIPAA PHI workloads), we recommend US-based managed infrastructure. We can still advise on controls design, policy authoring, vendor questionnaires and audit preparation regardless of data location.