SOC 2 Compliance

GovOS Studio is SOC 2 Type 1 certified.

Our SOC 2 audit was conducted by A-Lign Cybersecurity and Compliance Firm and found that GovOS Studio meets the applicable Trust Services Principles criteria with no exceptions listed. The audit provides a thorough review of how GovOS Studio's internal controls affect the security, confidentiality and availability of the systems it uses to process users’ data, and the confidentiality of the information processed by these systems.

We encrypt data in transit to users using a standard SSL/TLS certificate. This prevents intermediate attackers from intercepting user data. All user data is stored in a SOC 1 Type II, SOC 2 Type I, and ISO 27001 certified Amazon AWS Datacenter. We also encrypt data at rest in both primary databases and all backup data snapshots using industry standard AES-256 encryption. This prevents access to user data by any attacker who might somehow still gain access to Amazon’s highly secured datacenters.

Our hosting provider Amazon Web Services (AWS) adheres to the strictest data protection certifications. AWS allows us to be fully scalable as your workloads evolve, and features robust security components such as disaster recovery, data storage, and data backup capabilities.

More information regarding our highly reliable AWS infrastructure and its certifications can be found here. Amazon datacenters have extremely robust physical security systems in place to protect your data. You can read the AWS Whitepaper here.

GovOS Studio takes customer data security and privacy seriously. Access to your user data is restricted to the following parties:

1) Your own registered users on your account, corresponding to their assigned customer data and with assigned permissions.

2) GovOS Studio Success Managers, only to the extent necessary and authorized by you, to service your account.

3) GovOS Studio corporate officers, to the extent required by law or to service your account.

4) GovOS Studio Engineers. Only the CTO (and in emergencies, SREs) have access to customer data to the minimal extent necessary and required to carry out their employment duties, such as operating, administering, or debugging the product.

5) Third-party contractors, to the extent they produce product components or service your account on our behalf.

GovOS Studio employees and contractors handling customer data are required to complete necessary requirements (i.e. training) in accordance with the policies specified in the company’s Code of Conduct. This document outlines GovOS Studio’s expectation that every employee will conduct business lawfully, ethically, with integrity, and with respect for each other and the company’s users, partners, and competitors. The GovOS Studio Code of Conduct is available upon request.

We support password-based, SAML, and AD Authentication. Multifactor authentication is not supported out of the box, but is available with implementation. Our API uses a key-based authentication mechanism. ‍All user sessions are timed out automatically, and all authentication data is encrypted. All passwords are hashed and salted using industry-standard bcrypt.

We host our databases on Amazon RDS (Relational Database Service). The database constantly retains an up-to-date, encrypted copy of your data. Complete snapshots are made daily, and point-in-time restoration of data is generally possible to within 10 minutes.

Data copies are encrypted, and stored in the Amazon US West datacenters. All data is stored in the US. You can learn more about security measures for AWS datacenters here.

We will respond to legal requests in a timely manner, based on the extent, scope, and urgency of each individual request. We will retain information pertaining to a legal hold in a separate database for integrity.

The likelihood of a datacenter outage is extremely small. However, in the case of a disaster-related datacenter failure, we maintain backups of our code and databases and can re-deploy GovOS Studio as soon as possible, given the extent of the present incident, and assuming hosting services are restored after the disaster.

Because of our infrastructure, data corruption is highly unlikely. In the event of data corruption, GovOS Studio will offer remediation as per our

Terms of Service.

In the unlikely event of a breach we will issue a full lockdown of services while we investigate the source and scope. We will notify our customers within 24 hours via e-mail providing relevant details, and will continue to send regular updates as new information is obtained.

Amazon AWS manages all hardware. When a storage device has reached the end of its useful life or fails to securely store data, AWS initiates a decommissioning process that ensures customer data are not exposed to unauthorized individuals.

AWS uses the techniques detailed in DoD 5220.22-­‐M (“National Industrial Security Program Operating Manual“) or NIST 800-­‐88 (“Guidelines for Media Sanitation”) to destroy data, as part of the decommissioning process.

Our SLA (Service Level Agreement) for uptime is 99.9%. We ensure minimal downtime, amounting to less than nine hours per year, and if we fail to deliver, remediation is available as per our

Terms of Service.

We take the security of your data very seriously. Learn more about how GovOS Studio protects your data.

GovOS Studio is SOC 2 Type 1 compliant. Our SOC 2 audit was conducted by A-Lign Cybersecurity and Compliance Firm and found that GovOS Studio meets the applicable Trust Services Principles criteria with no exceptions listed. The audit provides a thorough review of how GovOS Studio's internal controls affect the security, confidentiality and availability of the systems it uses to process users’ data, and the confidentiality of the information processed by these systems.

Contact us for additional information regarding how we safeguard your data.

At GovOS Studio, we hold our employees, partners and vendors to the highest standards of conduct and we welcome any reports of abuse or misuse of the platform, unethical behavior and security incidents of any type. To file a confidential report, please email your concern to: ethics@seamlessdocs.com

Terms of Service.