Security & Trust

Your data is protected.
And we can prove it.

soyes.ai is a startup. We don't have a SOC 2 Type 2 certificate yet — but we hold ourselves to the same standards and can document every control on request.

🇪🇺

EU Data Residency

All application data is stored on a Contabo server in France. Nothing leaves the EU without your knowledge.

🔒

Encrypted in Transit & at Rest

TLS everywhere via Cloudflare. Secrets encrypted with sops/age. Offsite backups AES-256 encrypted.

🛡️

Hardened Infrastructure

CSP enforcing, HSTS, X-Frame-Options DENY, UFW firewall, fail2ban, SSH key-only access.

🔑

Access Controls

RBAC with four roles, Google SSO, httpOnly cookie auth, separate superadmin domain, forced password rotation on provisioning.

🧹

Right to Erasure

GDPR Art. 17 erasure fully implemented. We erase a customer's data across all stores on request within 72 hours.

💾

Daily Backups + PITR

Daily offsite backups + 8-day PostgreSQL point-in-time recovery window. Restore drill last passed June 2026.

Automated security scanning on every push

✓ PASS
Semgrep SAST — Python + TypeScript/React
153 files scanned · 164 rules · 0 real findings
Last full scan: June 2026 · Pinned rule set: semgrep/semgrep-rules@48a4fdb
✓ PASS
Bandit — Python SAST (medium severity / medium confidence)
Clean since Phase 1 hardening · Runs on every push to master
✓ PASS
Gitleaks — Secret / credential leak detection
Full commit history scanned · Blocking on any finding
ⓘ Advisory
pip-audit + npm audit — Dependency CVE monitoring
Python + all five frontend apps checked · Results surfaced in CI log

Sub-processors

These are the third-party services that may process your customers' data on our behalf.

Sub-processor Purpose Data location
Contabo GmbH Hosting / infrastructure France (EU)
Google (Gemini API) AI model inference Per Google terms
Cloudflare WAF / CDN / TLS Global edge (metadata only)
Paddle Payments (Merchant of Record) Per Paddle terms
Microsoft (OneDrive) Encrypted offsite backups Per operator M365 tenant

SOC 2 readiness

ⓘ Self-assessed
Internal SOC 2 Trust Services Criteria assessment — June 2026
Scored against Security (CC1–CC9), Availability, Confidentiality, and Privacy criteria.
55 controls implemented · 22 partial · 0 gaps.
Full documentation and evidence index available on request. Formal SOC 2 Type 2 audit is on our roadmap as we scale.

Need our security documentation?

We can share our full SOC 2 self-assessment, DPA template, or answer your vendor security questionnaire.

Contact security team