ThorStackThorStack

Legal

SOC 2 Type II
Audited annually.

Effective Period ending March 31, 2026

We treat compliance as a feature, not a tax. Here's our SOC 2 posture, the controls in scope, and how to get the full report under NDA.

1. Summary

ThorStack maintains a SOC 2 Type II attestation covering the Trust Services Criteria for Security, Availability, and Confidentiality. The audit is performed annually by an independent CPA firm.

Our most recent report covers the 12-month period ending March 31, 2026, and is available under NDA on request.

2. Trust principles in scope

  • Security. How we protect information and systems against unauthorized access, use, or modification.
  • Availability. How we keep the platform operational and accessible per our SLA commitments.
  • Confidentiality. How we protect information designated as confidential against unauthorized disclosure.

3. Control summary

Access control

  • Role-based access (RBAC)
  • MFA mandatory for all internal users
  • Quarterly access reviews
  • SSO/SAML available on Operator+

Encryption

  • TLS 1.2+ for all data in transit
  • AES-256 for data at rest
  • BYOK (customer-managed keys) on Sovereign

Tenancy isolation

  • Dedicated Postgres per customer
  • Dedicated app + API + vector store
  • Isolated object-storage prefix

Network security

  • Segmented VPCs per environment
  • Allow-listed egress
  • DDoS protection at edge
  • Private connectivity options on Sovereign

Vulnerability management

  • Automated SAST + dependency scanning in CI
  • Quarterly external penetration testing
  • Coordinated disclosure / bug bounty

Incident response

  • 24/7 on-call rotation (Sovereign tier)
  • Documented runbooks
  • <72hr breach notification

Change management

  • Code review required on all merges
  • Signed commits
  • Audited deploy pipeline
  • Rollback within minutes

Logging & monitoring

  • Per-tenant audit logs
  • Real-time security event monitoring
  • SIEM export on Sovereign

Personnel

  • Background checks pre-hire
  • Mandatory annual security training
  • Signed confidentiality + acceptable-use

Vendor management

  • Sub-processors vetted before onboarding
  • Annual sub-processor reviews
  • DPAs in place with all sub-processors

4. Request the report

The full SOC 2 Type II report (and our most recent penetration test summary) is available under a mutual NDA. To request:

  • Email security@thorstack.com with the legal name of your organization and the reviewing party.
  • We'll respond within 2 business days with our standard NDA for counter-signature.
  • Once signed, we send the report and supporting documentation via secure share within 24 hours.

5. Other compliance posture

  • GDPR & UK GDPR — compliant by design; SCCs included in our DPA.
  • NDPA (Nigeria) — compliant by design.
  • ISO 27001 — controls aligned; certification in progress (target Q4 2026).
  • HIPAA — BAA available on Operator and Sovereign; technical controls in place.
  • PCI DSS — out of scope; ThorStack does not store cardholder data (we route payments via Stripe Connect).

6. Trust center

For real-time uptime, security advisories, and sub-processor change alerts, see status.thorstack.com.

Questions?