Compliance
GDPR, CCPA, SOC 2, and other certifications
Compliance & Certifications
Overview
OpsCurb is committed to maintaining the highest standards of security, privacy, and compliance. This document outlines our compliance status and certifications.
Current Compliance Status
✅ GDPR (General Data Protection Regulation)
Status: Compliant
Applies to: EU/EEA customers
Effective: May 25, 2018
Our Commitments:
- Data minimization and purpose limitation
- Right to access, rectification, and erasure
- Data portability
- Privacy by design and default
- Data Processing Agreements (DPA) available
- EU representative appointed
- Breach notification within 72 hours
How We Comply:
- Row-Level Security (RLS) for data isolation
- Encryption at rest and in transit
- Regular security audits
- Data retention policies
- User consent management
- Cookie policy
Your Rights:
- Access your data
- Correct inaccurate data
- Delete your data ("right to be forgotten")
- Export your data
- Object to processing
- Withdraw consent
Contact: gdpr@opscurb.com
✅ CCPA (California Consumer Privacy Act)
Status: Compliant
Applies to: California residents
Effective: January 1, 2020
Our Commitments:
- Transparency in data collection
- Right to know what data we collect
- Right to delete personal information
- Right to opt-out of data sale (we don't sell data)
- Non-discrimination for exercising rights
How We Comply:
- Clear privacy policy
- Data inventory and mapping
- Consumer request portal
- Opt-out mechanisms
- Employee training
Your Rights:
- Know what personal information we collect
- Know if we sell or disclose your information
- Opt-out of sale (we don't sell data)
- Delete your personal information
- Non-discrimination
Contact: privacy@opscurb.com
🔄 SOC 2 Type II
Status: In Progress (Expected Q3 2026)
Scope: Security, Availability, Confidentiality
What is SOC 2? SOC 2 is an auditing standard for service organizations that store customer data in the cloud. It evaluates controls related to security, availability, processing integrity, confidentiality, and privacy.
Our Progress:
- ✅ Gap analysis completed
- ✅ Policies and procedures documented
- ✅ Controls implemented
- 🔄 Audit in progress
- ⏳ Report expected Q3 2026
Trust Service Criteria:
- Security: Protection against unauthorized access
- Availability: System availability for operation and use
- Confidentiality: Protection of confidential information
Infrastructure Partners (SOC 2 Certified):
- Supabase (Database)
- Railway.app (API Hosting)
- Vercel (Frontend Hosting)
- AWS (Infrastructure)
✅ PCI DSS (Payment Card Industry Data Security Standard)
Status: Compliant (via Stripe)
Level: Level 1 (via Stripe)
How We Comply:
- We use Stripe for all payment processing
- We never store credit card information
- Stripe is PCI DSS Level 1 certified
- All payment data encrypted in transit
What We Store:
- ❌ Credit card numbers
- ❌ CVV codes
- ❌ Expiration dates
- ✅ Stripe customer ID (tokenized)
- ✅ Last 4 digits (for display only)
📋 ISO 27001
Status: Planned (Expected Q4 2026)
Scope: Information Security Management System (ISMS)
What is ISO 27001? International standard for information security management systems. Demonstrates systematic approach to managing sensitive information.
Our Roadmap:
- Q2 2026: Gap analysis
- Q3 2026: ISMS implementation
- Q4 2026: Certification audit
✅ AWS Well-Architected Framework
Status: Compliant
Framework: AWS Well-Architected Framework
Six Pillars:
-
Operational Excellence ✅
- Infrastructure as Code (Terraform, CDK)
- Automated deployments
- Monitoring and logging
- Incident response procedures
-
Security ✅
- Encryption at rest and in transit
- IAM least privilege
- Network security
- Data protection
-
Reliability ✅
- Multi-AZ deployments
- Automated backups
- Disaster recovery plan
- Fault tolerance
-
Performance Efficiency ✅
- Serverless architecture
- Auto-scaling
- Performance monitoring
- Right-sized resources
-
Cost Optimization ✅
- Resource tagging
- Cost monitoring
- Reserved capacity
- Efficient architecture
-
Sustainability ✅
- Efficient resource usage
- Serverless where possible
- Carbon-aware scheduling
Industry Standards
OWASP Top 10
Status: Compliant
We protect against OWASP Top 10 vulnerabilities:
- ✅ Broken Access Control - RLS, RBAC
- ✅ Cryptographic Failures - TLS 1.3, AES-256
- ✅ Injection - Parameterized queries, input validation
- ✅ Insecure Design - Security by design
- ✅ Security Misconfiguration - Automated security scanning
- ✅ Vulnerable Components - Dependency scanning
- ✅ Authentication Failures - MFA, secure sessions
- ✅ Software and Data Integrity - Code signing, checksums
- ✅ Logging Failures - Comprehensive logging
- ✅ SSRF - Input validation, network controls
CIS AWS Foundations Benchmark
Status: Compliant
We follow CIS AWS security best practices:
- ✅ IAM password policies
- ✅ MFA for privileged users
- ✅ CloudTrail enabled
- ✅ S3 bucket encryption
- ✅ VPC flow logs
- ✅ Security group restrictions
Data Residency
Current Regions
Primary: US-East (Virginia)
Backup: US-West (Oregon)
Available for Enterprise
- 🇪🇺 Europe: EU-West (Ireland), EU-Central (Frankfurt)
- 🇬🇧 UK: EU-West (London)
- 🇦🇺 Australia: AP-Southeast (Sydney)
- 🇨🇦 Canada: CA-Central (Montreal)
Contact: sales@opscurb.com for custom data residency
Third-Party Certifications
Infrastructure Partners
| Partner | Certifications | Purpose |
|---|---|---|
| AWS | SOC 1/2/3, ISO 27001, PCI DSS, HIPAA | Infrastructure |
| Supabase | SOC 2 Type II, ISO 27001 | Database & Auth |
| Railway.app | SOC 2 Type II | API Hosting |
| Vercel | SOC 2 Type II | Frontend Hosting |
| Stripe | PCI DSS Level 1, SOC 2 | Payments |
Security Practices
Encryption
- At Rest: AES-256 encryption
- In Transit: TLS 1.3
- Key Management: AWS KMS with rotation
- Database: Encrypted PostgreSQL (Supabase)
Access Control
- Authentication: Supabase Auth with JWT
- Authorization: Row-Level Security (RLS)
- MFA: TOTP-based (optional for users, required for admins)
- Session Management: Secure, httpOnly cookies
Monitoring
- Application: Sentry error tracking
- Infrastructure: CloudWatch monitoring
- Security: AWS GuardDuty, Security Hub
- Logs: Centralized logging with retention
Vulnerability Management
- Dependency Scanning: Automated with Dependabot
- SAST: Static Application Security Testing
- Penetration Testing: Annual third-party testing
- Bug Bounty: Responsible disclosure program
Audit & Reporting
Internal Audits
- Frequency: Quarterly
- Scope: Security controls, access logs, compliance
- Reports: Available to Enterprise customers
External Audits
- SOC 2: Annual (in progress)
- Penetration Testing: Annual
- ISO 27001: Annual (planned)
Compliance Reports
Available to Enterprise customers:
- SOC 2 Type II report
- Penetration test results
- Security questionnaires
- Custom compliance reports
Request: compliance@opscurb.com
Data Processing Agreements (DPA)
GDPR DPA
Available for EU/EEA customers:
- Standard Contractual Clauses (SCCs)
- Data processing terms
- Sub-processor list
- Security measures
Request: gdpr@opscurb.com
Custom DPAs
Available for Enterprise customers:
- Custom terms
- Additional security requirements
- Specific compliance needs
Contact: legal@opscurb.com
Subprocessors
We use the following subprocessors:
| Subprocessor | Purpose | Location | Certifications |
|---|---|---|---|
| AWS | Infrastructure | US, EU | SOC 2, ISO 27001 |
| Supabase | Database | US, EU | SOC 2, ISO 27001 |
| Railway.app | API Hosting | US | SOC 2 |
| Vercel | Frontend | US, Global | SOC 2 |
| Stripe | Payments | US, Global | PCI DSS, SOC 2 |
| Sentry | Error Tracking | US | SOC 2 |
Updates: We'll notify you 30 days before adding new subprocessors
Compliance Roadmap
2026
- ✅ Q1: GDPR & CCPA compliance
- 🔄 Q2: SOC 2 Type II audit
- 🔄 Q3: SOC 2 Type II certification
- ⏳ Q4: ISO 27001 certification
2027
- ⏳ Q1: HIPAA compliance (if needed)
- ⏳ Q2: FedRAMP (if needed)
- ⏳ Q3: Additional regional certifications
Questions?
For compliance questions:
- General: compliance@opscurb.com
- GDPR: gdpr@opscurb.com
- Security: security@opscurb.com
- Legal: legal@opscurb.com
Last Updated: 2026-02-24
Version: 1.0