Compliance
Compliance documentation for legal and procurement teams: where each framework stands, how we source state data, and the line we hold between business verification and consumer reports.
FCRA
Whether a check falls under the Fair Credit Reporting Act turns on who is being assessed. We hold this line precisely.
Entity verification (the default)
Verifying a business — license status, registration standing, court judgments, and entity history — is commercial verification. It is nota consumer report under the FCRA, because it does not assess an individual’s eligibility for credit, employment, insurance, or housing. No permissible-purpose certification, consumer disclosure, or adverse-action notice attaches to a business check.
Individual checks (when required)
Where an individual background check is genuinely required, it is performed through a licensed Consumer Reporting Agency under FCRA permissible-purpose rules — with the disclosures, consent, and adverse-action steps the FCRA requires. We do not blur the two, and a business verification is never repackaged as an individual report.
The detailed FCRA framing for consumers lives on our FCRA page; the security-architecture view is on our security page.
CCPA / CPRA
California residents can exercise the rights the CCPA (as amended by the CPRA) provides — to know what personal information we hold, to access a copy, to correct it, to delete it, and to opt out of any sale. We do not sell personal information. Valid requests are fulfilled at no charge within 30 days. “Ready” means we honor these rights — it is not a certification.
Submit a deletion or access request via /dsar or email compliance@earthmove.io.
GDPR
EU/EEA data subjects can exercise their rights under the GDPR — access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), and portability (Art. 20). We fulfill valid requests within 30 days. EarthMove operates a US-focused service today; we treat GDPR readiness as future-proofing so that cross-border requests are handled to the same standard rather than retrofitted later.
Submit a request via /dsar or email compliance@earthmove.io.
State licensing data
Where licensing signals come from, how current they are, and how we keep them accurate.
Source
Official state contractor-licensing boards and Secretary of State business registries — public records, not resold third-party aggregations. We report on all 50 states plus DC from public records.
Freshness
Verification queries the record per request rather than serving a stale snapshot, and we capture source attribution with each signal so a result can be re-checked against the issuing authority.
Accuracy
Structured first-party license checks run in 38 states; elsewhere we report from the public-record floor. We do not invent a license status — an unknown is reported as unknown.
Permit data
Where available, we incorporate public building- and trade-permit datasets published by municipal and county authorities. Permit coverage is inherently uneven — jurisdictions publish on different schedules, in different formats, and not every jurisdiction publishes at all — so we treat permit signals as supporting context, attributed to their source, rather than as a uniform national figure. We do not claim a specific nationwide permit count.
Data accuracy & disputes
Our reports represent public records and licensed sources; the authoritative copy of any record sits with the issuing authority. We attribute every signal to its source so a verdict can be traced and checked.
If you believe a record we surfaced is wrong, email compliance@earthmove.io with the report and the specific signal. We re-check the underlying source, then correct or annotate our representation of it. Where the discrepancy originates at the source, we point you to the issuing authority, since the correction has to be made on the authoritative record. Disputes are reviewed by hand.
Subprocessors
The categories of third parties that may process data on our behalf. The current named list is provided with a DPA on request.
Cloud infrastructure provider
Managed database, application hosting, and object storage for production data.
Transactional email provider
Account, report-delivery, and data-subject-request correspondence.
Product analytics provider
Aggregate usage and performance measurement to operate and improve the service.
Payments processor
Billing for paid tiers and API plans; card data is handled by the processor, not stored by us.
Data Processing Agreement
A DPA is available on request for enterprise customers, with the current subprocessor list attached. It covers processing scope, security commitments, subprocessor change notice, and data-subject-request assistance. Request it via enterprise or email compliance@earthmove.io.
Compliance matrix
Where each framework stands today. “Rights honored” and “In progress” are stated honestly — they are not claims of certification.
| Feature | Status | Detail |
|---|---|---|
| FCRA (entity / commercial verification) | Compliant | Business verification is not a consumer report; individual checks route through a licensed CRA. |
| CCPA / CPRA (California consumer privacy) | Rights honored | Access, deletion, correction, and do-not-sell rights honored. We do not sell personal information. |
| GDPR (EU/EEA data subjects) | Rights honored | Access, rectification, erasure, restriction, and portability fulfilled on request. |
| SOC 2 Type II | In progress | Audit underway — target Q3 2026. Not yet certified. |
| Data Processing Agreement (DPA) | Available | Provided on request for enterprise customers, with the subprocessor list attached. |
Status reflects current state as of this page's publication. SOC 2 Type II is in progress (target Q3 2026), not certified. CCPA and GDPR rows reflect rights we honor, not certifications.
Compliance FAQ
Contact
For compliance, DPA, subprocessor, or data-subject questions, email compliance@earthmove.io. Security-architecture questions are handled on /security.
Need the full compliance package?
We’ll walk your legal and procurement teams through the DPA, subprocessors, and the FCRA distinction.