SOC2 Readiness Posture

Institutional-grade security and compliance controls.

All Systems Operational

Security Controls

Edge Isolation

All compute runs on Cloudflare Workers edge network. No centralized server.

Secrets Management

All API keys and tokens stored in Cloudflare Workers secrets. Never in code.

Encryption in Transit

TLS 1.3 enforced on all endpoints. No plaintext communication.

Token Authentication

Enterprise API tokens are SHA-256 hashed. Raw tokens never stored.

Rate Limiting

Per-organization rate limiting via KV with configurable thresholds.

Strict TypeScript

Full strict mode. No ignored build errors. Type safety enforced.

No Mock Data in Production

Production builds enforce real data only. Mock data forbidden.

Access Controls

RBAC Tiers

Public, Internal, Admin, Enterprise tiers with separate authentication.

Multi-User Roles

Owner, Editor, Viewer roles per tenant. Permission-scoped access.

Admin API Keys

Admin operations require x-admin-key header. Separate from user auth.

Enterprise Tokens

Per-organization API tokens with independent rate limits and revocation.

Data Handling

Crawler Compliance

robots.txt respected. Rate-limited. Custom User-Agent identified. Opt-out mechanism.

No Raw HTML Storage

Only extracted numerical scores and structural metadata stored.

Consent Tracking

Tenant consent recorded with timestamp: data usage, terms, authority confirmation.

Data Anonymization

Published indices use aggregate data. Individual tenant data never exposed publicly.

Change Management

CI/CD Pipeline

GitHub Actions deploys all 31+ workers. Automated migration and health checks.

Version-Controlled Migrations

Numbered SQL migrations applied sequentially. Full schema history.

Post-Deploy Health Checks

Every worker verified via /health endpoint after deployment.

Ghost Layer Versioning

Every injection versioned, hashed (SHA-256), and reversible.

Instant Rollback

Any Ghost Layer deployment can be rolled back to any previous version.

Audit Trail

Tenant Event Logging

All lifecycle events logged: creation, consent, lock, expiry, cancellation.

Deployment History

Full deployment timeline with version, hash, and timestamp.

Cost Governance

Crawl cost tracked per domain, per tier, with daily budget limits.

Bot Activity Logging

All bot actions logged with confidence scores and decisions.

Incident Response

Slack Alerts

Volatility spikes, AAI drops, and regime changes trigger Slack notifications.

Discord Alerts

Parallel alerting to Discord for redundancy.

Error Boundaries

Dashboard components wrapped in ErrorBoundary. Graceful degradation.

Rollback Mechanism

Ghost Layer deployments reversible. No permanent state changes without audit.

Last reviewed: February 2026. 411bz Authority Economics Platform.