Trust Center
Compliance

Our compliance journey

We use vCISO Lite to manage our own security and compliance program. Here's our story—and our receipts.

Managed with vCISO Lite
47Policies managed
312Controls tracked
2,400+Evidence items
ZeroAudit exceptions

Current certifications

Third-party validated security and compliance.

SOC 2 Type II

Our SOC 2 Type II report covers a 12-month observation period and validates our security controls are not just designed properly but operating effectively over time.

AuditorSchellman & Company
ScopeSecurity, Availability, Confidentiality
Last auditSeptember 2024
Next auditSeptember 2025
ISO 27001:2022

Our ISMS covers the design, development, and operation of the vCISO Lite platform. We completed the transition to the 2022 standard in our 2024 surveillance audit.

AuditorBSI Group
ScopeInformation Security Management System
Last auditJune 2024
Next auditJune 2025
PCI DSS v4.0

We use Stripe for all payment processing and don't store, process, or transmit cardholder data directly. Our SAQ-A validates our compliance with PCI DSS requirements.

AuditorSelf-Assessment
ScopeSAQ-A (Card-not-present, outsourced)
Last auditJanuary 2024
Next auditJanuary 2025

Compliance timeline

Our journey to multi-framework compliance.

Q1 2023

SOC 2 Type I certification

Achieved initial SOC 2 certification covering Security trust service criteria. Used vCISO Lite to generate policies and prepare evidence.

Q2 2023

ISO 27001 certification

Implemented ISMS and achieved ISO 27001:2013 certification. Gap analysis and control mapping done entirely in vCISO Lite.

Q3 2023

SOC 2 Type II underway

Began 12-month observation period for Type II. Continuous monitoring and evidence collection via our own platform.

Q4 2023

GDPR compliance program

Formalized GDPR compliance with documented data processing agreements, privacy impact assessments, and data subject rights procedures.

Q1 2024

PCI DSS compliance

Achieved PCI DSS compliance via SAQ-A. Validated secure integration with Stripe payment processing.

Q2 2024

ISO 27001:2022 transition

Successfully transitioned to updated ISO 27001:2022 standard during surveillance audit.

Q3 2024

SOC 2 Type II certified

Completed first full Type II audit with zero exceptions. Auditor noted exceptional evidence organization.

Q4 2024

Expanded SOC 2 scope

Added Availability and Confidentiality trust service criteria for comprehensive coverage.

Security documentation

Request our security artifacts for your vendor assessment.

SOC 2 Type II Report

Full audit report covering Security, Availability, and Confidentiality (NDA required)

Audit Report
NDA

SOC 2 Bridge Letter

Letter from auditor confirming no material changes since last report

Letter
On Request

ISO 27001 Certificate

Current ISO 27001:2022 certificate issued by BSI

Certificate
Public

Penetration Test Summary

Executive summary of most recent third-party penetration test

Summary
NDA

Security Questionnaire (CAIQ)

Pre-filled Consensus Assessment Initiative Questionnaire

Questionnaire
Public

Data Processing Agreement

Standard DPA with EU Standard Contractual Clauses

Agreement
Public

Need documentation for your assessment?

We understand vendor security assessments. Request our security pack and we'll get you everything you need—usually within 24 hours.

Request Security PackSchedule Security Call