Compliance

Authio’s compliance posture.

Stated plainly: pre-audit readiness. We run the controls today and gather the evidence so that when we engage a SOC 2 auditor (Drata / Vanta / direct), we walk in with a six-month evidence trail in hand rather than starting from zero.

We do not claim certifications we have not earned. This page will change wording the moment a SOC 2 Type I report is issued.

Where we are.

SOC 2 Type I: target audit window opens 2027-Q1. The control matrix, the policy set, and the supporting code are in place today and visible at github.com/tcast/authio_compliance.

SOC 2 Type II: target audit window opens 2027-Q3, six months after Type I evidence-collection begins formally.

ISO 27001: on the public roadmap; will follow SOC 2 Type II.

HIPAA BAA: available on the Enterprise tier with a signed BAA. We do not encourage transmission of PHI on Free / Starter / Growth plans; see our terms.

GDPR / UK GDPR / CCPA / CPRA / LGPD: in place today. Our DPA is available on request; our DSR (data-subject request) fulfillment process is publicly documented in the compliance repo’s runbooks.

Trust Services Criteria coverage.

SOC 2 is organized around five Trust Services Criteria categories. Authio’s initial Type I scope is Security + Availability + Confidentiality; Privacy is added for Type II.

Common criteria (security)

CC1Control environment
Policies + accountability documented.
CC2Communication and information
Public commitments at /security, /privacy, /compliance; internal via this repo.
CC3Risk assessment
Risk register reviewed quarterly; annual threat model.
CC4Monitoring activities
Synthetic monitoring every 60s; audit-event stream; risk decisions captured per sign-in.
CC5Control activities
Control matrix mapping every CC criterion to implementing code or policy.
CC6Logical & physical access
Hardware MFA required; access grants and quarterly access reviews codified.
CC7System operations
Incident-response policy + runbook + public retrospectives; Dependabot + CodeQL.
CC8Change management
Branch protection + 24h cooling-off + self-review for auth / infra / migrations.
CC9Risk mitigation
Vendor management policy; sub-processor list; business continuity plan.

Additional categories

AAvailability
Status page + reliability dashboard; backup & restore runbook; restore drills quarterly.
CConfidentiality
Encryption at rest + in transit; envelope-encrypted secrets; DSR workflow for disposal.
PPrivacy
Privacy policy + DSR workflow; sub-processor disclosure; data-minimization principle.
PIProcessing integrity
Not in scope for the initial Type I; product is authentication, not transaction processing.

The full control matrix lives at controls.md — every row cites the implementing code path or policy file.

Sub-processors.

Authio engages the following sub-processors. The list mirrors the canonical vendor-list.md; see also /privacy.

Railway — application hosting, managed Postgres, managed Redis. United States by default; EU on request.
Amazon Web Services — KMS, S3, SES, Secrets Manager, IAM. us-east-1 default.
Cloudflare — edge network, DDoS mitigation, custom-domain TLS.
Stripe — payment processing for paid plans.
Twilio — SMS delivery, only when the customer opts into SMS as a channel.
ClickHouse Cloud — audit-analytics warehousing, only for Growth+ customers who enable it.

New sub-processors are added with 30 days’ notice for Enterprise customers and immediate publication here for self-serve customers.

Data residency.

Default region for Customer Data is the United States (us-east-1). EU-tagged projects live entirely in eu-central-1 (Frankfurt). India-tagged projects in ap-south-1. Australia-tagged projects in ap-southeast-2.

Residency tagging is a per-project setting; once set it cannot be changed without a planned migration. Cross-region replication is opt-in.

When personal data is transferred from the EEA / UK / CH to a non-adequate country, the EU Standard Contractual Clauses (2021) and UK International Data Transfer Addendum apply, as incorporated in our DPA.

Encryption.

In transit: TLS 1.2 minimum (1.3 preferred), enforced at the Cloudflare edge with HSTS. Cloudflare-to-origin uses Full (strict) mode.

At rest: Postgres and Redis on Railway use full-disk encryption. Webhook signing secrets, audit-stream destination secrets, and SCIM bearer tokens are envelope-encrypted with ChaCha20-Poly1305 under per-project data keys, wrapped by an AWS KMS-held KEK in Secrets Manager.

Customer-managed (BYO-KMS): on the Enterprise tier, customers can bring their own AWS KMS master key for envelope encryption; revocation of the grant cuts off our ability to decrypt new traffic.

Key rotation: JWT signing, KMS envelope, webhook KEK, OAuth client secrets, and the Apple JWT are rotated on documented schedules; every rotation is recorded in our key_rotation_log table and surfaced in the operator dashboard.

Incident response.

Severity-classified, time-bound response. Public status page at status.authio.com with auto-incidents on synthetic-monitoring failure and public retrospectives within five business days of any SEV1 / SEV2.

For incidents materially affecting your project we notify the project-owner email of record within 4 hours (SEV1) or 72 hours for personal-data breaches (mirroring GDPR Art. 33).

The full incident-response policy and runbook live in the compliance repo: incident-response-policy.md, runbook.

Shared responsibility.

When you integrate Authio your application inherits the controls Authio runs, but you remain responsible for the controls your own customers expect from you. The developer-facing breakdown is on the docs / compliance concepts page.

Request our security & compliance summary.

Tell us where you are in your security review. We’ll send you a current one-pager (PDF), and on reply, NDA-permalink access to the policy set, control matrix, sub-processor list, and our latest pen-test/audit posture.

Prefer email? Reach security@authio.com. A real human reads every submission and replies within one business day.