SOC 2 Program
Controls and audit evidence program · Last reviewed: May 8, 2026
DataVibe is pursuing SOC 2 Type I certification. This page documents the controls and evidence program covering the AICPA Trust Service Criteria applicable to our pipeline infrastructure and customer data handling. A formal audit report is available to enterprise customers under NDA — contact [email protected].
Audit scope
System
DataVibe SaaS Platform
TSC coverage
Security · Availability · Confidentiality
Audit period
2025-Q4 → 2026-Q2
Trust Service Criteria controls
CC1Control Environment
- Security and compliance responsibilities are formally assigned to named individuals within engineering and operations.
- An acceptable-use policy and information security policy are maintained and acknowledged by all personnel at onboarding.
- Background checks are conducted for all personnel with access to production systems.
- Security awareness training is completed annually and upon hire.
CC2Communication and Information
- Internal security policies and incident response runbooks are version-controlled and accessible to all staff via the internal knowledge base.
- Customers are notified of material changes to security posture, data handling, or sub-processors via email and the status page.
- A public security policy page documents encryption standards, access controls, and vulnerability disclosure procedures.
- The security contact ([email protected]) is publicly documented for inbound reports.
CC3Risk Assessment
- A formal risk register is reviewed quarterly. Risks are rated by likelihood and impact; mitigations are tracked to closure.
- Third-party sub-processors are assessed for security posture before onboarding and annually thereafter.
- Threat modelling is performed for new product features that handle customer data or introduce new ingestion vectors.
- Dependency vulnerability scanning via pip-audit (core API) and npm audit (frontend) is integrated into the CI pipeline.
CC4Monitoring of Controls
- Automated alerts are configured for anomalous API usage, failed authentication attempts, and privilege escalation events.
- Audit logs capturing actor, action, timestamp, and IP are written to an append-only store for all sensitive operations.
- Log integrity is protected — production log streams are write-only from application principals and read-only from the security principal.
- Operational dashboards surface pipeline failure rates, error rates, and latency P95/P99 in real time.
CC5Control Activities
- All code changes require peer review via pull request before merge to main. Merges to main trigger automated CI (build, lint, type-check, dependency audit).
- Secrets (API keys, database credentials) are stored exclusively in environment variable management systems. No secrets are committed to source control.
- Database migrations are reviewed, versioned with Alembic, and tested in a non-production branch before promotion.
- Rate limiting is enforced at the API gateway layer using Upstash Redis for all public and authenticated endpoints.
CC6Logical and Physical Access Controls
- Access to production infrastructure (Vercel, Render, Neon, Cloudflare) is gated by SSO with phishing-resistant MFA.
- Role-based access control (RBAC) with USER / ADMIN / SUPER_ADMIN tiers is enforced at the application layer and logged via AuditLog.
- API keys are stored only as peppered SHA-256 hashes. Passwords use bcrypt with a cost factor ≥12.
- Production database access from application code is scoped to a least-privilege service account. Direct developer access requires an approved change ticket.
- Customer data is logically isolated by user ID. No cross-tenant data access is possible without explicit share grants.
CC7System Operations
- A public status page tracks real-time availability of all services (dashboard, core API, data plane, pipeline workspace).
- An on-call rotation is in place for P1/P2 incidents. On-call engineers have documented runbooks for common failure modes.
- Incident post-mortems are completed within 5 business days of resolution and stored in the internal knowledge base.
- Backup and restore procedures are validated quarterly against the Neon Postgres production branch.
CC8Change Management
- All infrastructure changes are committed as code (IaC) and reviewed before deployment. Ad-hoc console changes are prohibited in production.
- Database schema migrations are backward-compatible and deployed with a rollback plan.
- Feature flags are used to gate new functionality, enabling rollback without a code deployment.
- A change freeze process is followed during high-risk periods (customer release cuts, major holidays).
CC9Risk Mitigation
- A vendor management policy governs the selection and ongoing assessment of all sub-processors.
- Business continuity and disaster recovery plans are documented, tested annually, and cover data restoration, service failover, and customer communication.
- Cyber liability insurance is maintained commensurate with our risk profile.
- A formal vulnerability disclosure program allows security researchers to report issues to [email protected] with a guaranteed 5-business-day acknowledgement SLA.
In-scope sub-processors
All sub-processors are bound by data processing agreements and assessed annually.
| Sub-processor | Purpose | Region |
|---|---|---|
| Neon (PostgreSQL) | Cloud database hosting | US East |
| Vercel | Application hosting and edge delivery | Global |
| Render | Backend API hosting | US Oregon |
| Cloudflare | CDN, edge compute, DDoS protection | Global |
| Stripe | Payment processing and subscription management | US / EU |
| Resend | Transactional email delivery | Global |
| Upstash | Redis-based rate limiting and caching | US East |
Audit evidence types
Policy documentation
Written policies for security, incident response, vendor management, and acceptable use.
System configuration screenshots
Evidence of MFA enforcement, RBAC settings, encryption configuration, and firewall rules.
Access review logs
Quarterly access reviews exported from production IAM systems showing least-privilege enforcement.
Vulnerability scan reports
pip-audit and npm audit outputs from CI pipeline runs, with remediation evidence.
Incident records
Post-mortem documents and support tickets demonstrating detection, response, and closure.
Penetration test report
Annual third-party penetration test covering application, API, and infrastructure layers.
Request the evidence package
Includes: control list, policy audit log CSV, audit chain export, and management assertion letter. Available to Enterprise customers and active evaluators under mutual NDA.