โฌก SOC 2-Aligned
Security & Trust Controls
WorkDecisions AI operates under a security framework aligned with AICPA SOC 2 Trust Service Criteria (TSC). Our controls address the five TSC categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. This document describes those controls, their operational status, and evidence of implementation.
Note on SOC 2 status: WorkDecisions AI operates SOC 2-aligned controls. We have not yet completed a formal SOC 2 Type II audit by an accredited CPA firm. Formal SOC 2 Type II audit is targeted as part of our enterprise client roadmap. We do not misrepresent our audit status. Prospects requiring a completed SOC 2 report may contact us to discuss our controls evidence directly.
๐๏ธ Trust Service Criteria Coverage
SOC 2 evaluates controls across five Trust Service Criteria. The table below shows our coverage status against each criterion.
CC1โCC9 ยท Security
Common Criteria (CC)
Logical and physical access controls, change management, risk assessment, monitoring. Our primary focus. All CC series controls implemented.
A-series ยท Availability
Availability
System availability for operation and use as committed. Supabase SLA 99.9%. Netlify SLA 99.99%. Monitoring and incident escalation active.
PI-series ยท Processing Integrity
Processing Integrity
System processing is complete, valid, accurate, and timely. All AI decision outputs are logged with actor ID, timestamp, and input hash for audit traceability.
C-series ยท Confidentiality
Confidentiality
Information designated as confidential is protected. Multi-tenant RLS enforced at database layer. Client data never co-mingled. AES-256 at rest.
๐ CC1โCC2: Control Environment & Communication
LiveDocumented security policies reviewed at start of every operational session. Agents operating within the swarm are bound by documented protocols.
LiveAll external-facing communications reviewed and approved by CEO (Glen Allison) prior to send. No unsanctioned outreach permitted.
LiveSecurity responsibilities defined and assigned per agent and edge function role. Principle of least privilege enforced.
LiveHard Rules (HR11โHR22) constitute the formal security policy framework, reviewed and updated after every material infrastructure change.
PlannedAnnual formal policy review with sign-off โ targeted Q4 2026 aligned with ISO audit readiness.
๐ CC6: Logical Access Controls
LiveEmail + Phone OTP two-factor authentication on all client portal access. No password-only routes exist.
LiveJWT tokens in HttpOnly cookies โ not exposed to JavaScript. XSS cannot steal authentication tokens.
LiveRow-Level Security (RLS) enforced at PostgreSQL layer โ every query scoped to tenant. Cross-client data access is architecturally blocked, not just application-enforced.
LiveAll secrets stored in Frankfurt edge function environment only. No secrets in source code, .env files, application variables, or third-party vaults. Agents receive key names, never values.
LiveAccess revocation: edge function access can be removed within 5 minutes via Frankfurt console. Database row-level access revocable without full system downtime.
PlannedQuarterly access review and privilege attestation โ Q3 2026.
๐ CC7: System Operations & Monitoring
All significant system events are written to the Frankfurt audit_log table. Monitoring is continuous.
| Control | Description | Status |
|---|
| Event Logging |
Every authentication event, data access, compliance action, and AI output logged with timestamp, actor ID, IP address, and outcome. |
Live |
| Log Integrity |
Audit logs are append-only. No application-layer delete permissions exist on audit_log. Retention: 7 years for compliance events, 90 days for operational logs. |
Live |
| Anomaly Detection |
Automated monitoring on Frankfurt edge functions. Anomalous patterns (unusual query volume, failed auth bursts, unexpected data access) trigger SMS alert to CEO within 15 minutes. |
Live |
| Vulnerability Management |
Infrastructure dependencies reviewed quarterly. No known-vulnerable packages in production. Supabase, Netlify, and RunPod managed infrastructure with their own CVE programs. |
Live |
| Penetration Testing |
Independent penetration test โ targeted H2 2026. |
Planned |
๐ CC8: Change Management
LiveAll material infrastructure changes documented in CLAUDE.md, System Architecture, and Frankfurt audit_log before and after deployment.
LiveProduction deployments (workdecisionsai.com, workdecisions.live) require explicit CEO approval in writing before execute. No autonomous production deploys permitted.
LiveAll prospect email sends require explicit CEO approval. No autonomous outreach permitted.
LiveSandbox environment (wdi-portal-sandbox.netlify.app) maintained for all pre-approval testing. Production is only updated after sandbox is reviewed and approved.
LiveDeprecated workflows documented and never reactivated. Production workflow list maintained and verified.
โ ๏ธ CC9: Risk Mitigation & Vendor Management
Third-party vendors and sub-processors are assessed before integration. Risk criteria include: data residency, certification status, breach history, DPA availability, and exit rights.
| Vendor | Risk Assessment | Mitigation |
|---|
| Supabase |
ISO 27001 certified. Frankfurt EU data residency. SOC 2 Type II certified. |
Primary infrastructure. GDPR-sovereign. |
| RunPod |
Switzerland jurisdiction โ GDPR Article 45 adequacy decision. |
AI compute only. Isolated containers per workload. No persistent client PII. |
| HeyGen |
US-based. Processes voice/video data. No ISO 27001. |
SCCs in DPA. Disclosed to clients before contract. Optional alternative available. |
| ElevenLabs |
US-based. Processes voice data. No ISO 27001. |
SCCs in DPA. Disclosed to clients before contract. Optional alternative available. |
| Netlify |
Global CDN. No client PII on CDN nodes. |
Static assets only. No personal data served via Netlify. |
| Resend |
US-based email delivery. Processes email addresses and content. |
SCCs in DPA. Transactional email only โ no marketing or bulk sends without consent. |
Full sub-processor list with DPA references: GDPR & Data Protection page.
โก Availability Controls
- Supabase Frankfurt SLA: 99.9% uptime commitment. Managed PostgreSQL with automated failover and daily backups.
- Netlify SLA: 99.99% uptime for static site delivery. Global CDN with automatic edge redundancy.
- Standby instance: Canada ca-central-1 Supabase instance maintained for disaster recovery. No active writes during normal operations. Failover time: < 4 hours (targeted).
- n8n workflow redundancy: All eight production workflows monitored. Failures flagged to CEO via SMS. Manual re-trigger available within 30 minutes.
- Incident response SLA: CEO notified within 15 minutes of anomaly detection. Containment within 60 minutes for P1 incidents.
๐ Confidentiality Controls
- All data at rest encrypted using AES-256 via Supabase transparent data encryption.
- All data in transit encrypted via TLS 1.2 minimum (TLS 1.3 preferred). No unencrypted connections accepted on any endpoint.
- PII fields encrypted at the application layer before database storage โ double-encrypted at rest.
- Multi-tenant isolation: every database query enforces WHERE company_id = :tenant_id at RLS layer. Cross-client data access is architecturally impossible, not merely policy-restricted.
- API secrets never appear in responses, logs, or error messages. Key names only โ never values.
- Client data access scoped strictly to the client's own company_id. Support access requires written authorization from client and is logged.
๐ก๏ธ Privacy Controls
- Privacy notices provided at point of data collection. No collection without consent or documented lawful basis.
- Data minimisation: only data necessary for contracted service is collected and stored. See GDPR page for full data inventory.
- Data subject rights (access, rectification, erasure, portability) fulfilled within 30 days of request.
- GDPR Article 33 breach notification: supervisory authority notified within 72 hours of awareness. Affected clients notified without undue delay where high risk exists.
- All sub-processors processing personal data are covered by a Data Processing Agreement. Client DPA available on request prior to onboarding.
Last updated: May 2026. Controls reviewed quarterly and following any material infrastructure change. For audit evidence requests or security questionnaires: glen@workdecisionsai.com