US Regulatory Landscape
Federal, state, and sector-specific regulations — plus UK cross-border requirements
CCPA / CPRA
California — 40M+ consumers
California Consumer Privacy Act and California Privacy Rights Act compliance. Consumer data rights management, opt-out mechanisms, and automated DSAR handling for businesses serving California residents.
HIPAA
Health data — federal
Health Insurance Portability and Accountability Act compliance for covered entities and business associates. PHI safeguards, breach notification, and BAA management.
SOC 2 Type II
Trust services criteria
SOC 2 Type II certification pathway with automated evidence collection across Security, Availability, Processing Integrity, Confidentiality, and Privacy criteria.
FTC Act Compliance
Federal Trade Commission
Section 5 unfair and deceptive practices prevention. Data security standards, privacy policy compliance, and FTC consent order monitoring.
State Privacy Law Tracker
15+ state laws and counting
Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, and more. Our tracker monitors all active and pending state privacy legislation in real time.
UK-US Data Bridge
Post-Schrems II framework
Navigate the UK Extension to the EU-US Data Privacy Framework. Automated transfer impact assessments, Standard Contractual Clauses management, and Data Bridge certification.
The State Privacy Patchwork
With 15+ state privacy laws enacted and more pending, US compliance is a moving target. Our platform tracks every state law in real time.
California
CCPA/CPRA
Virginia
VCDPA
Colorado
CPA
Connecticut
CTDPA
Utah
UCPA
Texas
TDPSA
Oregon
OCPA
Montana
MCDPA
+ 7 more states with active privacy laws tracked by our platform
Who We Serve
Purpose-built for businesses navigating US-UK cross-border compliance
US Companies with UK Operations
American businesses operating in the UK face dual compliance requirements: US federal and state laws plus UK GDPR, NIS2, and ICO regulations. Our platform provides a unified view.
UK Companies Expanding to the US
British companies entering the US market need to navigate a patchwork of state privacy laws, federal regulations, and sector-specific requirements like HIPAA and SOC 2.
US Companies Using HumanBaseIQ
US employers using our HumanBaseIQ recruitment platform benefit from built-in EEOC compliance, HIPAA-relevant safeguards for health data, and state-by-state ban-the-box tracking.
Products for US-UK Businesses
Priced in USD — $149–999/month with cross-border compliance built in
HumanBaseIQ
$149/mo
AI recruitment platform with EEOC-compliant scoring, ban-the-box tracking, and HIPAA-relevant safeguards. Screen 200 resumes in 47 minutes.
Learn moreStatuteForgeIQ
$99/mo
Legal document intelligence for US-UK cross-border transactions. Contract analysis, regulatory change tracking, and multi-jurisdiction compliance.
Learn moreCofferMindIQ
$149/mo
Financial compliance automation. BSA/AML screening, SAR filing support, SEC/FCA dual reporting, and real-time risk dashboards.
Learn moreBusiness OS
$199/mo
Unified business intelligence with US-UK compliance built in. SOC 2 evidence collection, privacy law tracker, and automated reporting.
Learn moreUK-US Data Bridge
The post-Schrems II framework for transatlantic data transfers
The UK Extension to the EU-US Data Privacy Framework enables compliant data transfers between the UK and US. Our platform automates transfer impact assessments, manages Standard Contractual Clauses, and monitors ongoing compliance with the Data Bridge requirements.
Transfer Assessments
Automated TIA for every data flow
SCC Management
Template library and tracking
Ongoing Monitoring
Real-time framework change alerts
CCPA, HIPAA, SOC 2 & UK GDPR — practical answers
Sourced from oag.ca.gov, HHS.gov, AICPA Trust Services Criteria and UK ICO — not marketing.
What is the difference between CCPA and CPRA?
The California Consumer Privacy Act (CCPA, 2018) was amended and expanded by the California Privacy Rights Act (CPRA, 2020), which became fully operative 1 January 2023. CPRA added the concept of "sensitive personal information", extended consumer rights (right to correct, right to limit use of sensitive data), created the California Privacy Protection Agency (CPPA), and raised civil penalties to $7,500 per intentional violation or violation involving minors.
Does SOC 2 apply to small US companies?
SOC 2 is not a legal mandate — it is an AICPA attestation framework. However, it is commonly required by enterprise customers and increasingly by mid-market US and UK procurement. SOC 2 Type I (design) and Type II (operating effectiveness over 3-12 months) each demonstrate controls against Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.
When do HIPAA requirements apply to a US business?
HIPAA applies to "Covered Entities" (healthcare providers billing electronically, health plans, healthcare clearinghouses) and their "Business Associates" (vendors handling Protected Health Information on their behalf). A Business Associate Agreement (BAA) is mandatory before sharing PHI. Violations tier from $100 to $50,000 per record (2024 HHS tier caps) with an annual cap of $1.5M per identical violation.
How do UK companies with US customers handle cross-border data transfer?
Transfers from UK to US must satisfy UK GDPR Chapter V requirements. Following the EU-US Data Privacy Framework (July 2023) and the UK Extension (October 2023), US companies self-certified under the DPF can receive UK personal data without additional Standard Contractual Clauses. For non-DPF recipients, UK International Data Transfer Agreement (IDTA) or Addendum to EU SCCs is required, plus a Transfer Risk Assessment (TRA).
Does US SBH pricing differ from UK pricing?
Core SaaS pricing is listed in GBP (£). US customers may be invoiced in USD at prevailing Wise Business rates or in GBP with no hidden conversion margin. SummitBridge Horizon Ltd is a UK-registered company (Companies House 16419201); US customers generally treat our services as imported services for tax purposes. No sales tax or VAT is added — SBH is currently below the £90,000 UK VAT threshold.
Can UK-registered SBH serve highly regulated US industries?
Yes for general compliance consulting, SaaS tooling, and SOC 2 preparation. For sectors with US data residency requirements (e.g., DoD CMMC, FedRAMP High, certain HIPAA PHI workloads), we recommend US-based managed infrastructure. We can still advise on controls design, policy authoring, vendor questionnaires and audit preparation regardless of data location.