Trust, security, and compliance
How SOP Studio protects customer data and supports audit-driven teams. Reflects controls live in production today, with a clearly labeled roadmap for what's in progress.
Security posture
Controls below are in production today. Each maps to code or configuration in the running application.
HIPAA-ready deployment
Business Associate Agreement (BAA) click-wrap flow for covered entities, HIPAA Mode with PHI-aware access controls, and restricted AI processing.
SSO / SAML
Domain-level single sign-on via Supabase SAML providers. Email-domain check at login routes enterprise users to their IdP.
Rate limiting
Upstash-backed token-bucket rate limiting at the edge for all traffic, with 429 + Retry-After responses on abuse.
Hardened Content Security Policy
Production CSP drops unsafe-eval, locks default-src to same-origin, and restricts script/style sources to the application and vetted integration hosts.
Constant-time comparisons
Invite tokens and similar secrets compared with timing-safe equality to remove oracle attacks during onboarding.
Audit logging
HIPAA-scoped action log captures org-context changes, PHI-adjacent reads, exports, and BAA signature events for downstream review.
Error tracking and observability
Sentry captures server and client exceptions with PII scrubbing. Structured logs for security-relevant events.
Encryption in transit and at rest
TLS 1.2+ on every edge request. Supabase Postgres encrypts data at rest; row-level security enforces tenant isolation.
Compliance framework library
SOP Studio ships with seeded control libraries for the frameworks below. Customers can map their SOPs to these controls, track coverage, and export audit-ready evidence. These are the frameworks we support in-product — not certifications held by SOP Studio itself.
| Framework | Vertical | Description |
|---|---|---|
| 21 CFR Part 11 | Life Sciences | FDA requirements for electronic records and electronic signatures. |
| cGMP (21 CFR 210/211) | Life Sciences | FDA Current Good Manufacturing Practice for finished pharmaceuticals. |
| CMMC Level 2 | Federal / DoD | DoD Cybersecurity Maturity Model Certification Level 2 for contractors handling CUI. |
| CMS Conditions of Participation | Healthcare | Federal requirements hospitals must meet to participate in Medicare and Medicaid programs. |
| FDA Food Code | Food & Beverage | FDA model code for retail food establishments adopted by state and local regulators. |
| FSMA Preventive Controls (21 CFR 117) | Food & Beverage | FDA Food Safety Modernization Act — Preventive Controls for Human Food. |
| GDPR | General | General Data Protection Regulation — EU data privacy and protection requirements. |
| GLBA Safeguards Rule | General | FTC Safeguards Rule — information security program requirements for financial institutions. |
| HACCP | Food & Beverage | Hazard Analysis and Critical Control Points — foundational food safety system. |
| HIPAA | Healthcare | Health Insurance Portability and Accountability Act — privacy and security of protected health information. |
| HITRUST CSF e1 | Healthcare | HITRUST CSF Essentials tier — foundational cybersecurity hygiene assessment. |
| HITRUST CSF i1 | Healthcare | HITRUST CSF Implemented tier — moderate-assurance assessment cross-walked to NIST 800-171 and HIPAA. |
| ISO 13485 | Life Sciences | Quality management system for medical devices and related services. |
| ISO 14001 | Manufacturing | Environmental management system standard for systematic environmental responsibility. |
| ISO 22000 | Food & Beverage | International food safety management system standard combining HACCP with ISO management-system structure. |
| ISO 42001 | General | ISO/IEC 42001 — AI management system for responsible AI development and use. |
| ISO 45001 | Manufacturing | Occupational health and safety management system, international standard. |
| ISO 9001 | Manufacturing | Quality management system standard for consistent product and service quality. |
| ISO/IEC 27001 | General | International standard for information security management systems. |
| NIST AI RMF | General | NIST AI Risk Management Framework 1.0 — voluntary framework for trustworthy AI. |
| NIST CSF 2.0 | General | NIST Cybersecurity Framework 2.0 — voluntary, risk-based cybersecurity framework. |
| NIST SP 800-171 | Federal / DoD | Protecting Controlled Unclassified Information in nonfederal systems and organizations. |
| OSHA Safety | Manufacturing | Occupational Safety and Health Administration workplace safety standards and recordkeeping. |
| PCI DSS | Contact Center | Payment Card Industry Data Security Standard for handling cardholder data. |
| SOC 2 | General | AICPA Trust Services Criteria — security, availability, confidentiality, processing integrity, and privacy. |
| SOC 2 / SOX | General | Security and financial controls for SaaS and publicly traded companies. |
| SQF Food Safety | Food & Beverage | Safe Quality Food — GFSI-benchmarked food safety certification. |
| The Joint Commission | Healthcare | Hospital accreditation standards from The Joint Commission. |
Reference documents
Public artifacts auditors and healthcare security reviewers ask for by name.
HIPAA Security Rule (§164.308, §164.310, §164.312) mapped to the specific SOP Studio controls, code paths, and database migrations that implement them.
In progress / roadmap
These items are planned or in progress. They are not complete. Nothing in this section should be treated as a current attestation.
SOC 2 Type II
Controls aligned to AICPA Trust Services Criteria. Observation window and third-party audit in planning.
Annual third-party penetration test
External assessment of the production surface on a yearly cadence.
SCIM 2.0 provisioning
Automated user lifecycle for enterprise customers using Okta, Azure AD, or similar IdPs.
Subprocessors
Third parties that process customer data as part of delivering SOP Studio. All are bound by data processing terms.
| Subprocessor | Purpose |
|---|---|
| Supabase | Managed Postgres, authentication, file storage |
| Vercel | Application hosting, edge network, analytics |
| Stripe | Billing and subscription management |
| Sentry | Application error and performance monitoring |
| Anthropic | AI-assisted SOP drafting via Claude API |
| Resend | Transactional email delivery |
| Upstash | Serverless Redis for rate limiting |
Report a vulnerability
Security researchers: please report suspected vulnerabilities to security@sopstudio.io. We acknowledge reports within two business days. A machine-readable version of this contact is available at /.well-known/security.txt.
Please do not test against production data you do not own, do not exfiltrate customer data, and give us a reasonable window to respond before public disclosure.
Related policies: Privacy Policy · Terms of Service
Talk to security