/trust
Trust + compliance
Where gasguide.app stands on certifications, posture, and how to request documents that aren't public. For deeper diligence (SOC 2 attestation, custom DPAs, architecture diagrams), email security@gasguide.app.
Compliance posture
HIPAA
In placeSigned BAA with every subprocessor that touches PHI. Customer-facing BAA flow with click-through provisioning. Breach-notification SOP tightened to 10 business days for Covered Entities.
SOC 2 Type I
Targeted Q4 2026Controls largely in place today (MFA, RLS on 81/83 tables, audit logging, encryption at rest/in transit, vendor risk assessments). Formal Type I audit kicks off when 2-3 enterprise deals require it.
SOC 2 Type II
Targeted Q3 2027Type II requires 3-12 months of continuous evidence collection post-Type-I. Vanta/Drata/Secureframe will be adopted at Type-I kickoff to automate evidence collection.
GDPR + CCPA
In placeAccount deletion with PII anonymization, GDPR data export endpoint, notification prefs with RFC 8058 List-Unsubscribe, CAN-SPAM postal address in marketing email footer.
Penetration testing
Quarterly automated + annual third-partyDependabot continuously. First third-party pentest scheduled Q3 2026 (cost $8-15K). Vulnerability disclosure policy at /security/disclosure.
Request SOC 2 report (under NDA)
Our SOC 2 Type I report will be available once the audit completes (targeted Q4 2026). In the interim, we can share our controls inventory, vendor risk assessments, and architecture diagram under NDA for enterprise diligence.
Documents + policies
- Security overview
Encryption, MFA, RLS, audit logging, BAA, breach notification, SLA.
- Privacy policy
What we collect, why, how long we keep it, your rights.
- Status + uptime
Live derived uptime from operational telemetry + Core Web Vitals.
- Vulnerability disclosure
Responsible disclosure policy (RFC 9116 security.txt).
- BAA template
Business Associate Agreement for Covered Entities (HIPAA).
- Breach notification SOP
Our 10-business-day breach notification process.
Last updated: .