Back to Security
SOC 2 Type II (In Progress)

SOC 2 Type II Controls

ekkOS has implemented comprehensive SOC 2 Type II security controls. We are currently undergoing our external audit with certification expected Q1 2025.

CC1 - Control Environment

ekkOS maintains a control environment that demonstrates a commitment to integrity and ethical values.

  • Clear security roles and responsibilities
  • Security team: CEO (owner), CTO (technical lead)
  • Incident response plan documented
  • Security Policy, Privacy Policy, and Code of Conduct established

CC2 - Communication and Information

ekkOS obtains and communicates relevant information to enable internal and external parties to carry out their responsibilities.

  • All team members trained on security best practices
  • Security documentation accessible to authorized personnel
  • Incident reporting procedures established

CC3 - Risk Assessment

ekkOS performs risk assessments to identify and analyze risks to achievement of objectives.

  • Quarterly security reviews
  • Threat modeling for new features
  • Vulnerability scanning (Dependabot, npm audit)
  • Third-party risk assessment (Supabase, Vercel, OpenAI)

CC4 - Monitoring Activities

ekkOS selects, develops, and performs ongoing and separate evaluations to determine whether controls are present and functioning.

  • Mission Control dashboard (pm2.ekkos.dev) for real-time monitoring
  • Health checks every 30 seconds
  • Error tracking (Sentry integration planned)
  • Audit logs for all admin actions

CC5 - Control Activities

ekkOS selects and develops control activities that contribute to mitigation of risks to achievement of objectives.

  • Multi-factor authentication (MFA) supported via Supabase Auth
  • Role-based access control (RBAC) - admin, user roles
  • API key authentication with hashing (SHA-256)
  • Row Level Security (RLS) enforced at database level

CC6 - Logical and Physical Access Controls

ekkOS implements logical and physical access controls to protect against unauthorized access.

  • Production access limited to authorized personnel (CEO, CTO)
  • SSH keys required for server access (no passwords)
  • Database access via Supabase dashboard (MFA required)
  • Secrets stored in environment variables (Vercel/Railway)
  • Secure infrastructure via SOC 2 Type II certified providers (Supabase, Vercel)

CC7 - System Operations

ekkOS implements system operations controls to ensure systems operate as intended.

  • Automated backups (Supabase daily backups)
  • Disaster recovery plan documented
  • Deployment pipelines with CI/CD (Vercel, Railway)
  • 99.9% uptime SLA with multi-region deployment
  • Health checks and monitoring via Mission Control dashboard

CC8 - Change Management

ekkOS implements change management controls to ensure changes are authorized, tested, and properly deployed.

  • All code changes via Pull Requests
  • Required reviews before merge
  • Automated testing (unit + integration)
  • Staging environment for pre-production testing
  • Git flow and PR review process enforced

Request SOC 2 Report

Enterprise customers can request a copy of our SOC 2 Type II report upon completion of our audit (expected Q1 2025).

Request ReportBack to Security