SOC 2 Compliance

What is SOC 2?

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA). It evaluates an organization's controls and processes related to security, availability, processing integrity, confidentiality, and privacy. SOC 2 compliance demonstrates that a service provider maintains rigorous controls to protect customer data and ensure reliable service delivery.

Our Commitment

Cintrico is actively pursuing SOC 2 Type II certification for the BOSS platform. We have implemented the organizational policies, technical controls, and operational procedures required to meet the Trust Services Criteria. Our SOC 2 Type II audit is currently in progress, covering a continuous observation period to validate the effectiveness of our controls over time.

While our formal certification is underway, we operate in full alignment with SOC 2 requirements across all five Trust Service Principles.

Trust Service Principles

Infrastructure Security

The BOSS platform is built on a secure-by-design infrastructure:

• Encryption at Rest: All data stored in our databases is encrypted using AES-256 encryption. Encryption keys are managed through dedicated key management services with automatic rotation
• Encryption in Transit: All data transmitted between clients and servers is protected by TLS 1.3. Internal service-to-service communication is encrypted via mutual TLS
• Access Controls: Role-based access control (RBAC) is enforced at every layer. Administrative access requires multi-factor authentication and is limited to authorized personnel on a least-privilege basis
• Network Isolation: Customer workspaces are logically isolated at the database, storage, and compute layers. Network segmentation ensures that traffic between tenants is strictly separated
• Vulnerability Management: Automated vulnerability scanning runs continuously. Critical vulnerabilities are patched within 24 hours. We conduct regular penetration testing through independent third-party firms

Data Handling

We maintain formal data handling policies that govern the full lifecycle of information within the platform:

• Classification: Data is classified into four tiers -- Public, Internal, Confidential, and Restricted -- each with defined handling, storage, and access requirements
• Retention: Data retention periods are defined by category and enforced automatically. Active data, archived data, and deleted data follow separate retention schedules
• Deletion: When data is deleted, it is purged from active systems within 30 days and from backups within 90 days. Cryptographic erasure is used where applicable to render deleted data irrecoverable

AI-Specific Controls

AI introduces unique security considerations. BOSS implements the following controls specific to AI operations:

• Model Access Controls: AI model API keys are stored in encrypted vaults and rotated regularly. Access to model endpoints is restricted by workspace and user role
• Data Isolation: AI agent context windows are scoped to the current workspace. Cross-workspace data leakage is prevented through strict prompt boundary enforcement and memory isolation
• Prompt Injection Protection: All user inputs are sanitized and validated before being passed to AI models. We employ multi-layer defense against prompt injection, jailbreaking, and adversarial attacks
• Output Filtering: AI-generated outputs are screened for sensitive data patterns (PII, credentials, secrets) before being returned to users, with configurable filtering rules per workspace
• Audit Trail: Every AI agent invocation, prompt, and response is logged with timestamps, user identity, and workspace context for complete traceability

Audit Trail

Every significant action within the BOSS platform is captured in an immutable audit log:

• User authentication events (login, logout, MFA challenges, failed attempts)
• Data access and modification events (create, read, update, delete)
• AI agent executions, including prompts submitted and outputs generated
• Administrative actions (user provisioning, role changes, configuration updates)
• System events (deployments, configuration changes, security alerts)

Audit logs are stored in tamper-evident, append-only storage. Logs are retained for a minimum of 12 months and can be exported in standard formats (JSON, CSV) for external compliance review.

Vendor Security

We assess and monitor the security posture of every third-party vendor integrated into the BOSS platform:

• Supabase: SOC 2 Type II certified. Provides database hosting, authentication, and real-time subscriptions with row-level security
• Vercel: SOC 2 Type II certified. Provides hosting, edge networking, and analytics with enterprise-grade DDoS protection
• Anthropic: Security-reviewed AI model provider. Data processing agreements prohibit use of customer data for model training
• OpenAI: SOC 2 Type II certified. Enterprise API with zero data retention policy and dedicated capacity options
• Google Cloud: SOC 2 Type II certified. Provides infrastructure services with comprehensive compliance coverage
• Stripe: PCI DSS Level 1 certified. Handles all payment processing with no sensitive card data stored in BOSS systems

Vendor security assessments are conducted annually and upon any material change in the vendor's services or security posture.