Is your company subject to the institution's geographic region's laws and regulations?
Explanation
Jurisdiction is what's being established here: whether your company operates under and complies with the laws and regulations of the region where the assessing institution sits.
Why this matters:
- Legal compliance is a fundamental aspect of security and risk management
- Different regions have different data protection, privacy, and security requirements (e.g., GDPR in Europe, CCPA in California, PIPEDA in Canada)
- The institution needs to ensure that any vendor they work with will comply with the laws that govern the institution's operations
- Non-compliance could expose the institution to legal and regulatory risks
The guidance specifically asks you to state the country that governs and regulates your company. This helps the institution determine if there might be jurisdictional conflicts or compliance gaps between your operating environment and theirs.
When answering this question:
- Clearly state your company's primary country of incorporation/operation
- Address whether you are subject to the laws in the institution's region
- If you operate across multiple jurisdictions, explain how you manage compliance across regions
- If there are any limitations to your compliance with the institution's regional laws, be transparent about them
Guidance
State the country that governs and regulates your company.
Example Responses
Example Response 1
Yes, our company is headquartered in the United States and is subject to U.S federal and state laws We are incorporated in Delaware but have offices in multiple states including California, Texas, and New York We comply with all applicable U.S laws and regulations including HIPAA, GLBA, and state-specific regulations like CCPA If your institution operates in the U.S., we are subject to the same governing laws and regulations For institutions outside the U.S., we have implemented compliance programs for GDPR, PIPEDA, and other major international frameworks to ensure we meet cross-border data transfer and processing requirements.
Example Response 2
Yes, our company is headquartered in Germany and is fully subject to European Union laws and regulations, including GDPR Our operations and data processing activities comply with EU directives and German national laws We have appointed a Data Protection Officer as required by GDPR and maintain records of processing activities If your institution is located within the EU, we operate under the same regulatory framework For institutions outside the EU, we have established Standard Contractual Clauses and other appropriate safeguards to ensure compliant cross-border data transfers in accordance with Chapter V of the GDPR.
Example Response 3
No, our company is headquartered and primarily operates in Singapore, governed by Singapore's legal and regulatory framework including the Personal Data Protection Act (PDPA) While we make efforts to accommodate international requirements, we cannot guarantee full compliance with all aspects of your institution's regional laws if they differ substantially from Singapore's regulations For example, if your institution operates under GDPR in Europe, we have implemented some GDPR-aligned practices but have not fully certified our compliance with all GDPR provisions We would need to work together to identify any specific compliance gaps and determine if additional safeguards or contractual terms would be necessary for our business relationship.
Context
- Tab
- Organization
- Category
- Policies, Processes, and Procedures
Related questions
- Do you have a documented patch management process?
- Can your organization comply with institutional policies on privacy and data protection with regard to users of institutional systems, if required?
- Can you accommodate encryption requirements using open standards?
- Do you have a documented systems development life cycle (SDLC)?
- Do you perform background screenings or multi-state background checks on all employees prior to their first day of work?
- Do you require new employees to fill out agreements and review policies?

