VisitorFlow
Compliance · SOC 2

SOC 2 readiness

VisitorFlow is engineered to fit cleanly inside our customers' SOC 2 audits and is actively working toward our own SOC 2 Type II report. This page describes the controls we run today, how they map to the AICPA Trust Services Criteria, and what evidence we ship to help your auditor accept VisitorFlow as a sub-service organisation.

Status

  • SOC 2 Type I — observation period in progress. We entered the formal Type I observation window in May 2026 using Vanta for continuous control monitoring. The written policy set (10 policies covering access control, change management, incident response, risk management, vendor management, business continuity, asset management, data classification, personnel security, and secure development) is complete and under auditor review. Target attestation: Q3 2026.
  • SOC 2 Type II — observation window opens after Type I attestation; target report Q1 2027.
  • Bridge letter — available on request between observation periods.

Trust Services Criteria coverage

Security (CC1–CC9)

  • Tenant isolation enforced in a single data-access layer (withTenant(ctx)) — no raw cross-tenant query is possible at compile-time.
  • Per-tenant KMS keys for the highest-stakes PII columns (driver licence numbers, photos).
  • Mandatory 2FA (TOTP) for owner / admin roles. SAML SSO for Enterprise customers.
  • Append-only audit log of every privileged mutation, with actor, IP, UA and reason.
  • Mission Control (FR8 Tech staff) impersonation requires a written reason, is signed into a short-lived token, and persists a banner in the customer's UI for the duration.
  • Quarterly access reviews with auto-revocation of dormant accounts after 90 days.

Availability (A1)

  • Uptime target 99.9% on Standard, 99.95% on Professional, 99.99% on Enterprise.
  • Live status page at status.visitorflow.com with subscribable RSS.
  • Multi-region backups; RPO 5 min, RTO 1 h. Quarterly restore drills.
  • Incident runbooks reviewed every 6 months; on-call rotation is 24/7.

Confidentiality (C1)

  • AES-256 at rest (Postgres + R2 storage). TLS 1.3 in transit.
  • Data classification policy with three tiers: Public / Internal / Restricted (PII).
  • NDA with every employee + every sub-processor.

Processing integrity (PI1)

  • Schema validation at every API boundary (Zod in TypeScript, Drizzle for the DB).
  • Idempotency keys on every webhook delivery + Stripe-style replay protection.
  • Deterministic builds via Turborepo + pnpm with a frozen lockfile gate in CI.

Privacy (P1–P8)

See the dedicated GDPR & privacy guide — same control set, deeper detail.

Sub-processors

The current list is published at /security/subprocessors and updated 30 days before any addition takes effect.

  • Vercel — hosting + CDN.
  • Neon — managed Postgres.
  • AWS — S3 (R2-compatible storage), Rekognition, Textract, KMS.
  • Stripe — billing.
  • Resend — transactional email.
  • Twilio — SMS / WhatsApp.
  • Inngest — durable background jobs.
  • PostHog — product analytics (self-hosted EU instance available on request).
  • Sentry — error monitoring.

Evidence we ship to your auditor

  • SOC 2 Type I report (target Q3 2026) and Type II report (target Q1 2027) — shared under NDA.
  • Annual pen-test summary and remediation tracker (external firm, CVSS-scored findings).
  • Complete information-security policy set (10 policies — access control, change management, incident response, risk management, vendor management, business continuity, asset management, data classification, personnel security, secure development).
  • STRIDE threat model covering the five highest-value flows (visitor check-in, driver check-in, billing, MC impersonation, custom domain takeover).
  • Evidence pack export for any visit / driver record — photos, signatures, NDA versions, audit log.
  • Customer-side audit log export (CSV / JSON).
  • Sub-processor list with DPA status, updated 30 days before any changes.

Reporting a vulnerability

Email security@visitorflow.com. Our PGP key is published at /.well-known/security.txt. We aim for first response within 24h on business days. The full disclosure policy is in SECURITY.md at the root of the GitHub repo.

Questions? Email trust@visitorflow.com. We share our SIG / CAIQ on request under NDA.