PCI DSS compliance at Exclaimer
Exclaimer completes a PCI DSS self-assessment questionnaire (SAQ) and self-certifies against PCI DSS expectations. Exclaimer doesn't store, process, or transmit cardholder data, and card payments are handled by a PCI DSS-certified third-party payment provider. This is an internal self-assessment, reviewed annually, not an external audit.
What is PCI DSS?
PCI DSS, the Payment Card Industry Data Security Standard, is the global security standard administered by the PCI Security Standards Council. It applies to any organization that stores, processes, or transmits cardholder data, and to service providers whose systems may indirectly support a payment environment.
Exclaimer's PCI DSS scope
Exclaimer is a SaaS platform for email signature management, not a payment processor. Card processing is fully outsourced to a third-party provider that is itself PCI DSS certified, so cardholder data doesn't enter Exclaimer's systems.
In practice, this means:
Exclaimer doesn't store, process, or transmit cardholder data
Card payments are handled by a PCI DSS-certified third-party payment provider
The email signature management platform is outside the cardholder-data environment
Customer email content and synced directory data aren't part of any payment flow
How Exclaimer self-certifies
Exclaimer completes the relevant PCI DSS Self-Assessment Questionnaire (SAQ) and maintains internal documentation of the assessment. The assessment is reviewed annually, or after any significant change to Exclaimer's systems or payment arrangements.
Because card processing is fully outsourced to a PCI DSS-certified provider, Exclaimer isn't subject to an external PCI DSS audit. Its PCI DSS position is a structured internal self-assessment, not a third-party attestation.
Access Exclaimer's PCI DSS documentation
Exclaimer's PCI DSS self-assessment is available to customers under NDA on request. For Exclaimer's independently audited certifications, see the ISO 27001 and SOC 2 Type II pages, or visit the Exclaimer Trust Center.
Frequently asked questions about Exclaimer and PCI DSS
No. Card processing is fully outsourced to a PCI DSS-certified third-party payment provider. Primary account numbers, security codes, and other cardholder data don't enter Exclaimer's systems.
No. Because card processing is fully outsourced, Exclaimer self-certifies through a PCI DSS Self-Assessment Questionnaire (SAQ) rather than an external audit. Exclaimer's independently audited frameworks are ISO/IEC 27001 and SOC 2 Type II.
Annually, or after any significant change to Exclaimer's systems or payment arrangements.
The SAQ is available to customers under NDA on request. Contact the Exclaimer security team to arrange access.
Talk to Exclaimer's security team
For PCI DSS-specific questions, scope clarifications, or a copy of the self-assessment under NDA, the security team can take you through the details directly.
Contact our security team →