Compliance

Our compliance posture, SOC 2 control mapping, and provider certifications.

SOC 2 Status

🔄

Readiness Assessment In Progress

HiveFlow has implemented the core technical controls required by SOC 2. The formal SOC 2 program and independent third-party penetration test are being established through Vanta.

SOC 2 Type I — Target Q3 2026SOC 2 Type II — Target Q3 2027

SOC 2 Controls Mapping

CC6 — Logical Access

Multi-factor authenticationImplemented
Session management (JWT 7-day expiry, secure cookies)Implemented
Server-side session revocation (logout & password change)Implemented
Rate limiting on authentication (brute-force protection)Implemented
Granular access control (API keys with scopes)Implemented
Multi-tenant isolation (API + real-time WebSocket layer)Implemented

CC6 — Encryption

Encryption in transit (TLS 1.2+)Implemented
Encryption at rest (AES-256-GCM)Implemented
Key management (separated secrets)Implemented

CC7 — System Operations

Structured logging (Winston, JSON format)Implemented
Real-time monitoring (tenant-scoped WebSocket logs)Implemented
Documented incident response process (IR)Implemented
Business continuity & disaster recovery (BCP/DR) — documentedImplemented
Centralized log management (Datadog)Implemented
Security alerting on auth & access eventsImplemented
Cloud SIEM threat detectionRoadmap

CC8 — Change Management

CI/CD pipeline (GitHub Actions)Implemented
Automated testing (Jest + Playwright E2E)Implemented
Code review (GitHub PRs, branch protection)Implemented

CC3 — Risk Assessment

Input validation (express-validator)Implemented
HTML sanitization (sanitize-html)Implemented
Password policies (8+ chars, uppercase, number)Implemented
SSRF protection (private/metadata IP blocking)Implemented
Continuous security assessments (automated pentest, LLM red-team, manual review)Implemented
Documented vulnerability management programImplemented
Third-party penetration testing (via Vanta)Roadmap

Provider Certifications

HiveFlow's infrastructure providers maintain their own compliance certifications:

ProviderSOC 2ISO 27001HIPAAGDPROther
AWS (S3, Bedrock)✓✓✓✓SOC 1/3, FedRAMP, PCI DSS
MongoDB Atlas✓✓✓✓PCI DSS
Anthropic (Claude)✓✓—✓ISO 42001 (AI Safety)
Vercel✓✓—✓—
Railway✓——✓—
Google (OAuth)✓✓✓✓SOC 1/3, FedRAMP
E2B (Sandbox)———✓Firecracker isolation

Roadmap to Full Certification

Formal security policies documentationQ3 2026
Enterprise SSO (SAML/OIDC)Q3 2026
Mandatory MFA enforcement by organizationQ3 2026
RBAC per workspace (owner/admin/member/viewer)Q3 2026
SOC 2 Type I auditQ3 2026
Approval workflows for agent actionsQ4 2026
SOC 2 Type II auditQ3 2027