🛡️ SOC2 Compliance Ready
SOC2 Compliance
Enterprise-grade security controls and compliance readiness
What is SOC2?
SOC 2 (Service Organization Control 2) is an auditing standard developed by the American Institute of CPAs (AICPA) for service providers storing customer data in the cloud. It evaluates a company's information systems based on five "trust service criteria": security, availability, processing integrity, confidentiality, and privacy.
✅ Tablestakes AI SOC2 Compliance Status
Current Status: SOC2 Compliance Ready
We have implemented comprehensive security controls that address key SOC2 Trust Service Criteria, positioning us for a successful SOC2 audit when needed.
Implemented Security Controls
CC6.1 - Logical Access Controls
- Session Management: 30-minute automatic timeout after inactivity
- Password Security: Argon2 hashing (memory-hard, GPU-resistant)
- Access Control: Email-based authentication with secure registration
- CSRF Protection: Flask-WTF tokens on all state-changing operations
CC6.2 - User Authentication
- Strong Password Hashing: Industry-leading Argon2 algorithm
- Secure Cookies: HttpOnly, Secure, and SameSite flags enabled
- Email Validation: Enforced email format validation
- Failed Login Tracking: All attempts logged with IP and timestamp
CC6.3 - Network Communications
- HTTPS Enforcement: Automatic HTTP to HTTPS redirects
- HSTS Headers: 1-year Strict-Transport-Security policy
- Security Headers: X-Frame-Options, X-Content-Type-Options, CSP
- Content Security Policy: Strict CSP preventing XSS attacks
CC7.2 - System Monitoring
- Comprehensive Audit Logging: All security-relevant events tracked
- Logged Events: Logins, logouts, AI generations, saves, deletes
- Metadata Captured: User ID, IP address, timestamp, user agent
- Audit Trail: Persistent storage in dedicated audit_log table
CC9.1 - System Availability
- Automated Backups: Daily database backups via SQLite backup API
- Backup Retention: 7-day rotation with automatic cleanup
- Recovery Capability: Timestamped backups for point-in-time restoration
- Backup Security: Excluded from version control, secure storage
Additional Security Measures
Data Protection
- User Data Isolation: All queries filtered by user_id
- Input Validation: Email format validation, password length requirements
- Database Security: Parameterized queries preventing SQL injection
- Secure Configuration: Environment-based secrets management
Application Security
- CSRF Protection: All forms protected with CSRF tokens
- XSS Prevention: Content Security Policy blocking inline scripts
- Clickjacking Protection: X-Frame-Options: DENY header
- Content Sniffing Prevention: X-Content-Type-Options: nosniff
Audit Logging Events
Our comprehensive audit system tracks the following events:
| Event Type |
Data Captured |
| LOGIN_SUCCESS |
User ID, IP address, timestamp, user agent |
| LOGIN_FAILED |
Email attempted, reason, IP address, timestamp |
| SIGNUP |
User ID, email, IP address, timestamp |
| LOGOUT |
User ID, IP address, timestamp |
| AI_GENERATION |
User ID, task type, industry, timestamp |
| SAVE_RESPONSE |
User ID, response ID, timestamp |
| DELETE_RESPONSE |
User ID, response ID, timestamp |
Roadmap for Full SOC2 Certification
While we have implemented the foundational controls, achieving full SOC2 certification requires:
Near-Term Enhancements
- Multi-Factor Authentication (MFA/2FA)
- Role-Based Access Control (RBAC)
- Database encryption at rest
- Centralized log management and monitoring
Organizational Requirements
- Formal incident response plan
- Regular security assessments and penetration testing
- Vendor risk management program
- Security awareness training
- Disaster recovery and business continuity plans
Audit Process
- Selection of SOC2 audit firm
- Readiness assessment
- Implementation of any remaining controls
- Formal SOC2 Type I or Type II audit
Compliance Documentation
For detailed information about our security practices:
💼 Enterprise Customers
If you require formal SOC2 audit reports, security questionnaires, or additional compliance documentation, please contact our team through the Support page.
View Security Details
Back to Home