California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100–1798.199.100)
Assessment Date: April 14, 2026 | Document Classification: Public — Shareable
This document is a self-assessment mapping SigmaShake's data handling practices to CCPA requirements. It describes what controls are in place and where to find general evidence of each, without revealing proprietary implementation details, source code, or internal security architecture.
For detailed, code-level evidence of every security control (including exact source files, configuration keys, and commit hashes), enterprise customers can request the Controls Evidence Report at trust.sigmashake.com/report after signing a Mutual Non-Disclosure Agreement.
The following third-party service providers process data on behalf of SigmaShake:
| Provider | Purpose | Certification |
|---|---|---|
| Cloudflare | Infrastructure, CDN, database, KV store | SOC 2, ISO 27001 |
| Stripe | Payment processing | PCI-DSS Level 1, SOC 2 |
| GitHub | OAuth authentication, source hosting | SOC 2, ISO 27001 |
| Anthropic | AI inference — homepage chat, support triage | SOC 2 Type II, ISO 27001 |
| Resend | Transactional email delivery | SOC 2 |
| Article | Requirement | Status |
|---|---|---|
| § 1798.100 | Right to Know / Disclosure | ✓ Compliant |
|
Measure: Privacy Policy discloses all categories of personal information collected, purposes of collection, and categories of third parties with whom data is shared. Users can view their data through the Accounts dashboard. Evidence: Privacy Policy at docs.sigmashake.com/policies/privacy-policy. Self-service dashboard at accounts.sigmashake.com. |
||
| § 1798.105 | Right to Delete | ✓ Compliant |
|
Measure: Full account deletion cascade removes all personal information across 7 data stores in a single request. Deletion is immediate and covers: user record, sessions, rulesets, device bindings, payment data (via Stripe), OAuth tokens, and cookies. Evidence: Self-service deletion available in Accounts dashboard under Settings. Also available via security@sigmashake.com. |
||
| § 1798.106 | Right to Correct | ✓ Compliant |
|
Measure: User identity data is sourced from OAuth providers (GitHub, Google). Users correct their information at the identity provider, and SigmaShake refreshes on each login. Evidence: OAuth profile sync on every authentication. No separate user data entry is maintained. |
||
| § 1798.110 | Categories of PI Collected | ✓ Compliant |
|
Measure: Categories collected: identifiers (username, email via OAuth), commercial information (subscription tier, billing via Stripe), internet activity (anonymized telemetry — opt-in only). No biometric data, no geolocation, no sensitive categories. Evidence: Category inventory documented in Privacy Policy. |
||
| § 1798.115 | Disclosure of Sharing/Selling | ✓ Compliant |
|
Measure: SigmaShake does not sell personal information. SigmaShake does not share personal information for cross-context behavioral advertising. Disclosure of service providers: Cloudflare, Stripe, GitHub, Anthropic, Resend. Evidence: Privacy Policy explicitly states: "We do not sell your personal information." Service provider list maintained. |
||
| § 1798.120 | Right to Opt-Out of Sale/Sharing | ✓ Compliant |
|
Measure: Not applicable — SigmaShake does not sell or share personal information for advertising. No "Do Not Sell My Personal Information" link is required, but non-sale status is documented in the Privacy Policy. Evidence: Privacy Policy. No advertising SDKs, no tracking pixels, no data broker relationships. |
||
| § 1798.125 | Non-Discrimination | ✓ Compliant |
|
Measure: All users who exercise their privacy rights receive the same service quality and pricing. No price discrimination, service degradation, or different treatment for privacy rights exercise. Evidence: Uniform pricing published at sigmashake.com. No differentiated service tiers based on privacy elections. |
||
| § 1798.130 | Methods for Submitting Requests | ✓ Compliant |
|
Measure: Privacy requests accepted via: (1) Self-service Accounts dashboard for deletion, (2) Email to security@sigmashake.com for any CCPA request. Response within 45 days per statute. Evidence: Contact methods listed in Privacy Policy footer. Self-service deletion in Accounts dashboard. |
||
| § 1798.135 | Opt-Out Link Requirements | — N/A |
|
Measure: Not applicable — SigmaShake does not sell or share personal information. No opt-out link is legally required. Evidence: No data sale or sharing activity exists to opt out of. |
||
| § 1798.140(ag) | Service Provider Obligations | ✓ Compliant |
|
Measure: All subprocessors (Cloudflare, Stripe, GitHub, Anthropic, Resend) operate under agreements that restrict data use to contracted purposes only. No subprocessor receives data for independent use. Evidence: Service provider agreements in place. Subprocessor list published in Privacy Policy and threat model. |
||
| § 1798.150 | Data Breach Private Right of Action | ✓ Compliant |
|
Measure: SigmaShake implements reasonable security measures: encryption at rest and in transit, access controls, audit logging, incident response procedures, and 48-hour breach notification SLA. Evidence: Security controls documented in Trust Center. Breach notification process defined in NDA §6 and responsible disclosure policy. |
||
| § 1798.185 | Data Minimization | ✓ Compliant |
|
Measure: Only personal information reasonably necessary for each disclosed purpose is collected. Telemetry is anonymous and opt-in. OAuth uses minimum scopes. CLI processes metadata only, never source code. Evidence: Telemetry schema: 7 fields, no PII. OAuth scopes: read:user, public_repo (read-only, no write). |
||
Disclaimer: This self-assessment reflects SigmaShake's good-faith evaluation of its compliance posture as of the assessment date. It does not constitute legal advice and should not be relied upon as a substitute for independent legal review. For questions, contact security@sigmashake.com.
Sigma Shake, Inc. — CCPA Self-Assessment with Evidence
This document is public and may be shared with prospects, partners, and security reviewers without NDA.
For code-level evidence: trust.sigmashake.com/report (NDA required)