§ 01 · SECURITY · 6 PILLARS · GDPR · SOC2 IN PROGRESS

Protection you can rely on.

02 Compliance · standards refs
Standard Our status Notes
ISO 27001 vendor (AWS) Active
SOC 2 Type II In progress Q3 2026
GDPR Compliant See policy
CCPA Compliant See policy
HIPAA Out of scope
PCI DSS Outsourced (Stripe)

// SOC 2 Type II audit window opened Q1 2026, expected report Q4 2026. Trust report — on request under NDA.

02 Infrastructure 4 items

Hosted on AWS Frankfurt (eu-central-1). Multi-AZ Postgres, S3-compatible object storage with KMS encryption, CloudFront edge. Network is a private VPC; PostgreSQL is not reachable from the public internet.

  • 01 AWS · ISO 27001 · SOC 2 Type II
  • 02 AES-256 at rest
  • 03 TLS 1.3 in transit
  • 04 Daily snapshot · 30-day retention
03 Access control 4 items

Least-privilege by default. SSO via Google / Microsoft Workspaces. MFA optional for everyone, mandatory on Master tier. Audit log for every admin action — readonly, retained one year.

  • 01 SSO (SAML 2.0, OIDC)
  • 02 MFA · TOTP / WebAuthn
  • 03 RBAC · 4 roles
  • 04 Audit log · 12 mo
04 Data protection 4 items

Customer data (polygons, projects, BoMs) lives in a separate Postgres schema with row-level security. Export anytime — JSON / CSV. Account deletion → 30-day grace window, then hard delete.

  • 01 Per-tenant RLS
  • 02 Data export anytime
  • 03 30-day deletion grace
  • 04 PII pseudonymization
05 Application security 4 items

OWASP Top 10 coverage tested monthly. CI blocks deploy on critical CVEs. External penetration test once a year. Public bug bounty — up to $5,000 for a critical finding.

  • 01 OWASP ASVS L2
  • 02 Monthly SAST + DAST
  • 03 Annual pen-test
  • 04 Bug bounty open
06 Vendor management 4 items

Every subprocessor is named in the DPA. Changes get a 30-day notice. Key vendors: AWS (hosting), Stripe (billing), Postmark (email), Sentry (errors). All DPA-signed.

  • 01 AWS · hosting
  • 02 Stripe · billing
  • 03 Postmark · email
  • 04 Sentry · APM
07 Incident response 4 items

24/7 monitoring. Notification SLA: 24 h to data subjects (GDPR), 72 h to the regulator. Status page + email + (Master tier) DPO phone call within 4 h.

  • 01 24h breach notification
  • 02 72h regulator notice
  • 03 Status page · public
  • 04 Postmortem · 7 days
99 Related docs links
EU

GDPR statement.

What, where, and how we process personal data. Data-subject rights.

OPEN → B2B

DPA template.

Standard data processing agreement. Sign in Settings → Billing.

OPEN → LIVE

Status page.

Real-time service health, incident history, scheduled maintenance.

OPEN →
§ 99 · CONTACT

Security questions?

DPO replies within 24 hours. Vulnerability reports — security@smartpluvia.studio with PGP. General queries — support.

DPO contact → security@ GDPR statement