Compliance & Certifications

Overview of Torvus Security's compliance posture, certifications, and regulatory adherence.

Compliance Overview

Torvus Security maintains compliance with industry-leading security and privacy standards:

Standard	Status	Audit Frequency	Next Audit
SOC 2 Type II	In Progress	Annual	Q1 2026
ISO 27001	� Planned	Annual	Q2 2026
GDPR	Compliant	Continuous	Ongoing
CCPA	Compliant	Annual	Q4 2025
HIPAA	� Planned	N/A	2026

SOC 2 Type II

What is SOC 2?

Service Organization Control (SOC) 2 is an auditing standard for service providers storing customer data in the cloud.

Trust Service Criteria:

Security: Protection against unauthorized access
Availability: System uptime and reliability
Processing Integrity: Complete, accurate, and authorized processing
Confidentiality: Protection of confidential information
Privacy: Collection, use, retention, and disposal of personal information

Our SOC 2 Compliance

Status: In progress (audit completion Q1 2026)

Scope:

Application infrastructure (Vercel, AWS, Supabase)
Data storage and processing
User authentication and authorization
Encryption and key management
Incident response procedures
Business continuity and disaster recovery

Controls Implemented:

Multi-factor authentication (MFA) required
AES-256 encryption at rest
TLS 1.3 encryption in transit
Role-based access control (RBAC)
Audit logging and monitoring
Annual penetration testing
Employee background checks
Security awareness training
Incident response plan
Disaster recovery procedures

Audit Process:

Phase 1 (Q3 2025): Readiness assessment
Phase 2 (Q4 2025): Control design evaluation
Phase 3 (Q4 2025 - Q1 2026): Control operating effectiveness testing (3-6 months)
Phase 4 (Q1 2026): Final audit report

SOC 2 Report Availability:

Available to customers under NDA
Request via sales@torvussecurity.com
Annual report updates

ISO 27001

What is ISO 27001?

ISO/IEC 27001 is an international standard for information security management systems (ISMS).

Status: Planned for Q2 2026

Benefits:

Systematic risk management
Internationally recognized certification
Continuous improvement framework
Supply chain security requirements
Third-party validated security

Implementation Roadmap:

Q4 2025: Gap analysis and risk assessment
Q1 2026: ISMS documentation and policy development
Q2 2026: Internal audit and management review
Q2 2026: Certification audit by accredited body
Q3 2026: ISO 27001 certification awarded

ISO 27001 Controls (114 total):

A.5: Information security policies
A.6: Organization of information security
A.7: Human resources security
A.8: Asset management
A.9: Access control
A.10: Cryptography
A.11: Physical and environmental security
A.12: Operations security
A.13: Communications security
A.14: System acquisition, development, and maintenance
A.15: Supplier relationships
A.16: Information security incident management
A.17: Business continuity management
A.18: Compliance

General Data Protection Regulation (EU)

Effective Date: May 25, 2018 Torvus Compliance: Fully compliant since launch

Lawfulness, Fairness, Transparency
- Clear privacy policy
- Explicit consent for data processing
- Transparent data usage
Purpose Limitation
- Data collected for specific purposes only
- No repurposing without consent
Data Minimization
- Collect only necessary data
- Minimal retention periods
Accuracy
- Keep data accurate and up-to-date
- Right to rectification
Storage Limitation
- Data retained only as long as necessary
- Automatic deletion after retention period
Integrity and Confidentiality
- AES-256 encryption
- Access controls
- Regular security assessments
Accountability
- Data protection by design and default
- Regular compliance audits
- Documentation of processing activities

Data Subject Rights

Torvus supports all GDPR data subject rights:

Right	Description	How to Exercise	Response Time
Right to Access	Request copy of personal data	Settings � Privacy � Download Data	30 days
Right to Rectification	Correct inaccurate data	Settings � Profile � Edit	Immediate
Right to Erasure	"Right to be forgotten"	Settings � Account � Delete	30 days
Right to Restriction	Limit data processing	Contact privacy@torvussecurity.com	30 days
Right to Portability	Receive data in machine-readable format	Settings � Privacy � Export	30 days
Right to Object	Object to processing	Contact privacy@torvussecurity.com	30 days
Rights Related to Automated Decision-Making	Opt-out of automated processing	Not applicable (no automated decisions)	N/A

Data Processing Agreement (DPA):

Available for all business and enterprise customers
Standard contractual clauses (SCCs) for international transfers
Request via legal@torvussecurity.com

Data Residency:

EU customers can request EU-only data storage
Frankfurt, Germany (AWS eu-central-1)
No cross-border transfers without SCCs

Breach Notification:

Notification within 72 hours of detection
Detailed breach report provided
Assistance with regulatory reporting

Privacy by Design:

Encryption by default
Minimal data collection
Pseudonymization where possible
Regular privacy impact assessments (PIAs)

CCPA Compliance

California Consumer Privacy Act

Effective Date: January 1, 2020 Torvus Compliance: Fully compliant

Consumer Rights

Right	Description	How to Exercise	Response Time
Right to Know	What personal information we collect	Settings � Privacy � Data Report	45 days
Right to Delete	Request deletion of personal information	Settings � Account � Delete	45 days
Right to Opt-Out	Opt-out of sale of personal information	Not applicable (we don't sell data)	N/A
Right to Non-Discrimination	Not discriminated against for exercising rights	Automatic	N/A

CCPA Disclosures

Categories of Personal Information Collected:

Identifiers (name, email, IP address)
Commercial information (subscription data)
Internet activity (usage logs, audit trail)
Professional information (job title for business users)

Purpose of Collection:

Provide Torvus Security services
Customer support
Security and fraud prevention
Legal compliance

Third Parties We Share Data With:

Service providers (AWS, Supabase, Vercel)
Payment processors (Stripe)
Analytics providers (opt-in only)

Data Sale: We do NOT sell personal information

Authorized Agent Requests:

Accepted with proper authorization documentation
Contact privacy@torvussecurity.com

HIPAA Readiness

Health Insurance Portability and Accountability Act

Status: Planned for 2026 (for healthcare customers)

HIPAA Requirements:

Administrative Safeguards: Security management, workforce training
Physical Safeguards: Facility access controls, workstation security
Technical Safeguards: Access control, audit controls, encryption
Policies and Procedures: Privacy policies, breach notification

Business Associate Agreements (BAAs):

Available for healthcare customers upon request
Standard HIPAA BAA template
Contact sales@torvussecurity.com

PHI Security Measures:

AES-256 encryption at rest and in transit
Role-based access control (RBAC)
Audit logging (7-year retention)
Automatic session timeout
Multi-factor authentication (MFA) required
Disaster recovery and backup procedures

HIPAA Breach Notification:

Notification within 60 days of discovery
Notification to affected individuals
Notification to HHS (if affecting 500+ individuals)
Media notification (if affecting 500+ individuals in a state)

Other Standards & Frameworks

PCI DSS

Payment Card Industry Data Security Standard

Status: Compliant via Stripe (Level 1 PCI DSS certified)

How We Handle Payments:

No credit card data stored on Torvus servers
Stripe Elements for tokenized payments
PCI DSS compliance delegated to Stripe
Annual PCI compliance validation

NIST Cybersecurity Framework

Status: Aligned with NIST CSF

NIST CSF Functions:

Identify: Asset management, risk assessment
Protect: Access control, data security
Detect: Security monitoring, anomaly detection
Respond: Incident response planning
Recover: Disaster recovery, business continuity

CSA STAR

Cloud Security Alliance Security, Trust, Assurance, and Risk

Status: Planned for Q3 2026

CSA STAR Levels:

Level 1: Self-assessment (CAIQ)
Level 2: Third-party audit (SOC 2 or ISO 27001 based)
Level 3: Continuous monitoring

Compliance Documentation

Compliance Reports

Available Reports:

SOC 2 Type II Report (Q1 2026)
Penetration Test Reports (Annual)
Vulnerability Scan Reports (Quarterly)
Compliance Attestation Letters
Security Questionnaire Responses (SIG, CAIQ)

How to Request:

Email compliance@torvussecurity.com
Non-Disclosure Agreement (NDA) required
Available to customers and prospects

Compliance Certifications

Certification Badges:

Displayed on website footer
Linked to verification pages
Updated annually

Third-Party Validators:

SOC 2: [Audit firm TBD]
ISO 27001: [Certification body TBD]
Penetration Testing: [Security firm TBD]

Data Protection Officer (DPO)

Torvus DPO:

Name: [To be appointed]
Email: dpo@torvussecurity.com
Responsible for GDPR compliance oversight

DPO Responsibilities:

Monitor GDPR compliance
Advise on data protection obligations
Cooperate with supervisory authorities
Act as contact point for data subjects

Compliance Roadmap

2025

Q3: SOC 2 readiness assessment
Q4: SOC 2 Type I audit initiation
Q4: CCPA compliance verification
� Q4: ISO 27001 gap analysis

2026

� Q1: SOC 2 Type II report completion
� Q2: ISO 27001 certification
� Q3: CSA STAR self-assessment
� Q4: HIPAA BAA program launch

2027

Planned: FedRAMP authorization (government)
Planned: ISO 27017 (cloud security)
Planned: ISO 27018 (PII protection in cloud)

FAQ

Q: Can I see your SOC 2 report? A: SOC 2 Type II report will be available in Q1 2026 under NDA. Contact compliance@torvussecurity.com to request.

Q: Are you GDPR compliant? A: Yes, Torvus is fully GDPR compliant. We support all data subject rights and offer DPAs to business customers.

Q: Do you have a BAA for HIPAA? A: Not yet. HIPAA BAA program is planned for 2026. Contact sales@torvussecurity.com to express interest.

Q: Where is my data stored? A: By default, data is stored in US (AWS us-east-1). EU customers can request EU-only storage (AWS eu-central-1).

Q: Do you sell my data? A: No, we never sell customer data. Our business model is subscription-based, not data monetization.

Q: How do I request data deletion? A: Go to Settings � Account � Delete Account. Data is deleted within 30 days after confirmation.

Security Architecture: Overall security design
Encryption & Data Protection: Encryption methods
Access Control: Authentication and authorization
Security Best Practices: Security recommendations

Last Updated: October 8, 2025

Compliance Overview​

SOC 2 Type II​

What is SOC 2?​

Our SOC 2 Compliance​

ISO 27001​

What is ISO 27001?​

GDPR Compliance​

General Data Protection Regulation (EU)​

GDPR Principles​

Data Subject Rights​

GDPR-Specific Features​

CCPA Compliance​

California Consumer Privacy Act​

Consumer Rights​

CCPA Disclosures​

HIPAA Readiness​

Health Insurance Portability and Accountability Act​

Other Standards & Frameworks​

PCI DSS​

NIST Cybersecurity Framework​

CSA STAR​

Compliance Documentation​

Compliance Reports​

Compliance Certifications​

Data Protection Officer (DPO)​

Compliance Roadmap​

2025​

2026​

2027​

FAQ​

Related Documentation​