Compliance
Posture, not promises.
We don't claim certifications we don't hold. This page documents the controls in place today, the controls on the roadmap with target dates, and what we provide to your procurement team in lieu of a finished SOC 2 report.
01 · Certifications & frameworks
Where we are.
| Framework | Status | Target |
|---|---|---|
| SOC 2 Type I | roadmap | readiness assessment Q3 2026 |
| SOC 2 Type II | roadmap | observation window starting Q4 2026 |
| ISO 27001 | roadmap | scoped post SOC 2 Type II |
| GDPR (EU 2016/679) | in place | — |
| Argentina Ley 25.326 (Personal Data Protection) | in place | — |
| HIPAA | on engagement | BAA + controls scoped per healthcare engagement |
| PCI DSS | not applicable | we do not store cardholder data |
02 · SOC 2 roadmap
Quarters, not "soon".
Enterprise customers signed before Type I receive monthly progress updates against the roadmap and have the right to terminate without penalty if a milestone slips by more than two quarters.
03 · GDPR posture
Data subject rights, by implementation.
We act as a data processor for customer-uploaded content. Customers are the data controllers and remain responsible for lawful basis. We provide:
- Article 15 (access) — per-tenant export endpoint returns all stored data in JSON.
- Article 16 (rectification) — tenant-side mutation APIs for every stored entity.
- Article 17 (erasure) — tenant-level destroy endpoint deletes storage and destroys the per-tenant Key Encryption Key, rendering audit-envelope contents permanently unreadable (the hash chain remains verifiable). See /security §03.
- Article 20 (portability) — same as Article 15 export, JSON format.
- Article 32 (security of processing) — see /security for technical and organizational measures.
- Article 33 (breach notification) — 72-hour notification commitment to controllers, written into the DPA.
A Data Processing Agreement (DPA) is provided as part of every enterprise SOW. EU Standard Contractual Clauses (2021) attached where data crosses borders.
04 · Data residency
Where your data lives.
Managed cloud defaults to us-east-1 (AWS, Virginia). For EU residency requirements, deploy in customer VPC (eu-west-1 / eu-central-1) or on-premise — see /deployment. We do not silently replicate customer data across regions.
Sub-processors used in the managed-cloud path are listed in the DPA and include the cloud provider (AWS / Render) and the LLM provider (Google Gemini). Customers can require a specific LLM region or substitute a self-hosted model in VPC / on-prem deployments.
05 · Audit & retention
What we keep and for how long.
| Data class | Default retention | Configurable to |
|---|---|---|
| Audit log (hash-chained) | 7 years | 1–10 years |
| Workflow execution logs | 180 days | 30 days – 3 years |
| Document content (uploaded) | customer-controlled | delete-on-demand |
| RAG embeddings | linked to source documents | auto-purge on source delete |
| System metrics / latency histograms | 90 days aggregated | 1–365 days |
| Backups (managed cloud) | 30 days | up to 7 years |
05.b · Compliance incident tracker (live)
Per-tenant incident surface.
06 · What we send to procurement
In the absence of SOC 2.
On request, enterprise prospects receive:
- A controls attestation letter signed by the CEO listing every control on this page and on /security, with evidence references.
- A completed CAIQ Lite (Cloud Security Alliance Consensus Assessments Initiative Questionnaire).
- A Data Processing Agreement with EU Standard Contractual Clauses attached.
- The SOC 2 roadmap commitment letter, with termination-without-penalty clause if milestones slip.
- An architecture diagram with data-flow boundaries.
- References to the open-source dependencies and their licenses (SBOM on request).
Email compliance@sonodadynamics.com to request the procurement pack. Target turnaround: 2 business days.
07 · Service Level Agreement
Uptime, response times, credits.
The commitments below are the default SLA written into every enterprise SOW. They are contractual targets measured live (public /status, /metrics) — the measured track record accrues in the open, and service credits apply where the SOW includes them.
| Commitment | Target | Measurement |
|---|---|---|
| Platform availability (managed cloud) | contractual target — set in your SOW | measured live: health-check ratio at 1-min interval, public at /status |
| API p95 latency (read endpoints) | objective: < 300 ms | measured live at /metrics (rolling 30-day p95) |
| Critical incident first response (P1) | Defined in the Enterprise SOW | incidents are auto-classified P1/P2/P3 today; human response-time targets are committed per Enterprise engagement — not a blanket guarantee |
| Security incident notification | < 72 hours | from confirmed breach, per DPA Art. 33 |
| Webhook delivery success | objective: > 99% | measured live: 2xx responses over 30 days, excl. receiver downtime |
Service credits. Whether availability shortfalls carry service credits — and at what tiers — is agreed in each SOW, not promised on a marketing page. Where included: credits cap at 100% of the monthly fee, are the sole and exclusive remedy for availability shortfalls, and pair with the right to terminate without penalty after three consecutive missed months, with a pro-rated refund of any prepaid term.
Exclusions. Scheduled maintenance (announced ≥48h ahead, capped at 4h/month), force majeure, customer-caused outages (e.g. revoked credentials, exhausted quota), and outages of third-party dependencies the customer explicitly required (a specific LLM region, an on-prem network) are excluded from the availability calculation.
The full SLA with definitions, the maintenance-window schedule, and the credit-claim procedure is delivered as an annex to the SOW. Request it at compliance@sonodadynamics.com.