One page answers the procurement questionnaire: our current SOC 2 status, the subprocessors we share data with, how we encrypt and retain data, and who to contact for security or legal review.
Current status of the compliance frameworks we support. The SOC 2 Common Criteria evidence list is tracked in-product via the SOC 2 Control Tracker โ a CISO-domain tool we ship ourselves, which means we eat our own dog food on this page.
| Framework | Status | Target | Detail |
|---|---|---|---|
| SOC 2 Type I | In Progress | Q3 2026 | Observation period begins Q2 2026; Type I report expected Q3 2026. |
| SOC 2 Type II | Planned | Q4 2026 / Q1 2027 | Follows Type I. 6-month observation period. |
| GDPR (EU) | Compliant | Ongoing | Data Processing Agreement available. EU subprocessors disclosed. DPIA on request. |
| CCPA (California) | Compliant | Ongoing | Right to access, delete, and opt out of sale honored. No sale of personal data. |
| HIPAA | Not in scope | โ | BurnRateOS is not a HIPAA Business Associate. Do not store PHI on the platform. |
Encryption in Transit
TLS 1.3 everywhere. No unencrypted endpoints. HSTS enforced on all origins.
Encryption at Rest
All customer data encrypted at rest via Neon's managed PostgreSQL encryption (AES-256).
Authentication
Password auth with bcrypt hashing + JWT (HS256). 2FA (TOTP) supported. SSO on Enterprise.
Audit Logs
Every mutation writes to an immutable audit trail. Super-admin access reviewable.
Multi-Tenant Isolation
Account-scoped row-level queries on every read. No cross-account data leakage.
Backups
Neon automated daily backups with point-in-time recovery (7 days on Pro, 30 days on Enterprise).
Third parties that may process BurnRateOS customer data. We maintain DPAs with each one; GDPR Art. 28 disclosure obligations are met by this page. Changes to this list are announced via email at least 30 days before new subprocessors go into effect.
| Subprocessor | Purpose | Region | DPA |
|---|---|---|---|
| Cloudflare Workers | Application runtime (serverless edge compute) | Global edge | View DPA โ |
| Neon | PostgreSQL database hosting | US East (default); EU region available | View DPA โ |
| SendPulse | Transactional email delivery | Global | View DPA โ |
| OpenRouter (inc. Anthropic, OpenAI models) | AI model inference โ routed based on AI Credits model tier | US / Global | View DPA โ |
| SignalWire | Business Phone (VoIP) โ voice, SMS, MMS | US | View DPA โ |
| Stripe | Payment processing (default provider) | Global | View DPA โ |
When will BurnRateOS complete SOC 2 certification?
Where is my data stored?
How can I exercise my GDPR data rights?
How do I report a security vulnerability?
Last reviewed: 2026-04-14 (static fallback โ set TRUST_ACCOUNT_ID on the worker to source live data).