Security, compliance,
and subprocessors
One page answers the procurement questionnaire: our current SOC 2 status, the subprocessors we share data with, how we encrypt and retain data, and who to contact for security or legal review.
SOC 2 in progress
GDPR + CCPA compliant
DPA available on request
Compliance Status
Current status of the compliance frameworks we support. The SOC 2 Common Criteria evidence list is tracked in-product via the SOC 2 Control Tracker โ a CISO-domain tool we ship ourselves, which means we eat our own dog food on this page.
| Framework | Status | Target | Detail |
|---|---|---|---|
| SOC 2 Type I | In Progress | Q3 2026 | Observation period begins Q2 2026; Type I report expected Q3 2026. |
| SOC 2 Type II | Planned | Q4 2026 / Q1 2027 | Follows Type I. 6-month observation period. |
| GDPR (EU) | Compliant | Ongoing | Data Processing Agreement available. EU subprocessors disclosed. DPIA on request. |
| CCPA (California) | Compliant | Ongoing | Right to access, delete, and opt out of sale honored. No sale of personal data. |
| HIPAA | Not in scope | โ | BurnRateOS is not a HIPAA Business Associate. Do not store PHI on the platform. |
Platform Security
Encryption in Transit
TLS 1.3 everywhere. No unencrypted endpoints. HSTS enforced on all origins.
Encryption at Rest
All customer data encrypted at rest via Neon's managed PostgreSQL encryption (AES-256).
Authentication
Password auth with bcrypt hashing + JWT (HS256). 2FA (TOTP) supported. SSO on Enterprise.
Audit Logs
Every mutation writes to an immutable audit trail. Super-admin access reviewable.
Multi-Tenant Isolation
Account-scoped row-level queries on every read. No cross-account data leakage.
Backups
Neon automated daily backups with point-in-time recovery (7 days on Pro, 30 days on Enterprise).
Subprocessor Register
Third parties that may process BurnRateOS customer data. We maintain DPAs with each one; GDPR Art. 28 disclosure obligations are met by this page. Changes to this list are announced via email at least 30 days before new subprocessors go into effect.
| Subprocessor | Purpose | Region | DPA |
|---|---|---|---|
| Cloudflare Workers | Application runtime (serverless edge compute) | Global edge | View DPA โ |
| Neon | PostgreSQL database hosting | US East (default); EU region available | View DPA โ |
| SendPulse | Transactional email delivery | Global | View DPA โ |
| OpenRouter (inc. Anthropic, OpenAI models) | AI model inference โ routed based on AI Credits model tier | US / Global | View DPA โ |
| SignalWire | Business Phone (VoIP) โ voice, SMS, MMS | US | View DPA โ |
| Stripe | Payment processing (default provider) | Global | View DPA โ |
Data Handling & Retention
- Data minimization. We collect only data needed to run the product. No resale of customer data. No behavioral ad targeting.
- Account data. Retained while your subscription is active plus the retention window on your plan (90 days Starter, 1 year Pro, unlimited Enterprise). Can be deleted on request.
- Backups. Automated daily; point-in-time recovery up to 7 days (Pro) or 30 days (Enterprise).
- AI prompt data. AI Coach conversations are stored for your account only. Never used to train shared models. OpenRouter subprocessor enforces zero-retention on inference APIs.
- Right to delete. Customer-initiated deletion wipes data within 30 days (90 days on backup-expiry tail).
Last reviewed: 2026-04-14 (static fallback โ set TRUST_ACCOUNT_ID on the worker to source live data).
Frequently Asked Questions
When will BurnRateOS complete SOC 2 certification?
Where is my data stored?
How can I exercise my GDPR data rights?
How do I report a security vulnerability?
Need our security documentation?
Email [email protected] for a vulnerability report, or [email protected] for a DPA, DPIA, or data-subject request. Enterprise security reviews welcome.
No credit card required โข Free forever plan โข Setup in 2 minutes