Compliance
Our compliance posture, SOC 2 control mapping, and provider certifications.
SOC 2 Status
🔄
Readiness Assessment In Progress
HiveFlow has implemented the core technical controls required by SOC 2. We are currently in the readiness assessment phase with our compliance partner.
SOC 2 Type I — Target Q3 2026SOC 2 Type II — Target Q3 2027
SOC 2 Controls Mapping
CC6 — Logical Access
Multi-factor authenticationImplemented
Session management (JWT 24h, secure cookies)Implemented
Granular access control (API keys with scopes)Implemented
Access revocation (token deletion, user deactivation)Implemented
CC6 — Encryption
Encryption in transit (TLS 1.2+)Implemented
Encryption at rest (AES-256-GCM)Implemented
Key management (separated secrets)Implemented
CC7 — System Operations
Structured logging (Winston, JSON format)Implemented
Real-time monitoring (WebSocket logs)Implemented
Incident response (graceful shutdown, orphan cleanup)Implemented
Centralized log managementRoadmap
CC8 — Change Management
CI/CD pipeline (GitHub Actions)Implemented
Automated testing (Jest + Playwright E2E)Implemented
Code review (GitHub PRs, branch protection)Implemented
CC3 — Risk Assessment
Input validation (express-validator)Implemented
HTML sanitization (sanitize-html)Implemented
Password policies (8+ chars, uppercase, number)Implemented
Formal vulnerability management programRoadmap
Third-party penetration testingRoadmap
Provider Certifications
HiveFlow's infrastructure providers maintain their own compliance certifications:
| Provider | SOC 2 | ISO 27001 | HIPAA | GDPR | Other |
|---|---|---|---|---|---|
| AWS (S3, Bedrock) | ✓ | ✓ | ✓ | ✓ | SOC 1/3, FedRAMP, PCI DSS |
| MongoDB Atlas | ✓ | ✓ | ✓ | ✓ | PCI DSS |
| Anthropic (Claude) | ✓ | ✓ | — | ✓ | ISO 42001 (AI Safety) |
| Vercel | ✓ | ✓ | — | ✓ | — |
| Railway | ✓ | — | — | ✓ | — |
| Google (OAuth) | ✓ | ✓ | ✓ | ✓ | SOC 1/3, FedRAMP |
| E2B (Sandbox) | — | — | — | ✓ | Firecracker isolation |
Roadmap to Full Certification
Formal security policies documentationQ3 2026
Enterprise SSO (SAML/OIDC)Q3 2026
Mandatory MFA enforcement by organizationQ3 2026
RBAC per workspace (owner/admin/member/viewer)Q3 2026
Centralized log management (DataDog/CloudWatch)Q3 2026
Third-party penetration testingQ3 2026
SOC 2 Type I auditQ3 2026
Approval workflows for agent actionsQ4 2026
SOC 2 Type II auditQ3 2027