SOC 2 Compliance

ɳSelf is pursuing SOC 2 Type 1 certification with a target report date of August 2026. This page summarizes our compliance posture and trust center information.

Current Status

Trust Services Criteria Coverage

Security (CC1-CC9) - Mandatory

• CC1 Control Environment: Code of conduct, background checks, org chart documented
• CC2 Communication: Policies published internally, incident escalation paths defined
• CC3 Risk Assessment: Annual risk review, risk register maintained
• CC4 Monitoring: Continuous monitoring via Vanta + quarterly manual review
• CC5 Control Activities: All technical controls implemented (see below)
• CC6 Logical Access: SSO via Google Workspace, MFA enforced, quarterly access reviews, least-privilege IAM
• CC7 System Operations: Change management via GitHub PR, incident response plan, weekly vulnerability scans
• CC8 Change Management: PRs require review + passing CI, production deploys logged
• CC9 Risk Mitigation: Vendor risk reviews, DPAs with sub-processors

Availability (A1) - Pursued for Enterprise

• A1.1-A1.3: Capacity planning, BCP/DR plan, environmental protections (Hetzner + Cloudflare data center certifications)

Confidentiality (C1) - Pursued

• C1.1-C1.2: Data classification, retention and disposal policies (cross-referenced with GDPR data deletion)

Technical Controls

• Encryption at rest: LUKS on Hetzner servers + S3 SSE-S3
• Encryption in transit: TLS 1.3 everywhere, HSTS enabled
• Logging and monitoring: Loki + Grafana + Prometheus
• Vulnerability scanning: Dependabot + SAST
• Change management: GitHub PR + CI gates + production deploy logging
• Backup: Automated daily backups with 35-day retention

Automation Platform

We use Vanta for continuous compliance monitoring, connected to GitHub, AWS, Stripe, and Google Workspace. Vanta continuously validates our control posture and flags gaps in real time.

Request Our Report

Once our SOC 2 Type 1 report is available, Enterprise customers can request a copy under NDA. Contact security@nself.org.