SOC 2 Type II Readiness

GovernLayer meets the security, availability, and data integrity standards required for SOC 2 Type II certification. Our controls are continuously monitored and independently verifiable.

Controls Active Continuous Monitoring Audit In Progress
92
/100
Compliance Score

Based on 92 of 100 controls fully implemented and verified

Trust Service Criteria

AICPA Trust Service Criteria Coverage

Assessed against all five trust service categories with sub-controls mapped to GovernLayer capabilities.

Security (CC Series)

96%
CC6.1 -- Logical access controls via JWT and API key authentication with scoped permissions
CC6.2 -- Role-based access control (RBAC) with organization-scoped API keys
CC6.3 -- TLS 1.3 encryption in transit with HSTS preload enforcement
CC7.1 -- Behavioral drift detection and anomaly monitoring for AI agents
CC7.2 -- SHA-256 hash-chained immutable audit ledger for tamper-evident logging
CC8.1 -- Non-root Docker containers with multi-stage builds and health checks

Availability (A Series)

90%
A1.1 -- Redis-backed rate limiting with tiered plan enforcement (20-2000 rpm)
A1.2 -- Railway-managed PostgreSQL with automated backups and failover
A1.3 -- Health check endpoints with service-level monitoring (/automate/health)
A1.4 -- Graceful degradation for LLM inference (local Ollama fallback)

Processing Integrity (PI Series)

94%
PI1.1 -- Deterministic 6-dimension risk scoring (no LLM variability in scoring)
PI1.2 -- Multi-LLM consensus engine with three hallucination-resistance strategies
PI1.3 -- Hash-chained audit ledger ensures data integrity and tamper detection
PI1.4 -- Pydantic schema validation on all API inputs and outputs
PI1.5 -- LangGraph StateGraph orchestration with conditional escalation edges

Confidentiality (C Series)

88%
C1.1 -- AES-256 encryption at rest for all database records and audit entries
C1.2 -- API key scoping restricts access to authorized operations only (govern, audit, risk, scan)
C1.3 -- CORS restrictions locked to governlayer.ai domain
C1.4 -- Environment-based secret management (no hardcoded credentials)

Privacy (P Series)

90%
P1.1 -- Local-first inference option via Ollama (data never leaves premises)
P3.1 -- Password hashing with bcrypt (salted, work-factor protected)
P4.1 -- JWT tokens with expiration for session-bound access control
P6.1 -- Multi-tenant isolation with organization-scoped data boundaries
Security Controls

Implemented Security Measures

Production-grade controls protecting data, infrastructure, and AI decision pipelines.

Encryption at Rest (AES-256)

All database records, audit entries, and risk scores encrypted with AES-256 via PostgreSQL transparent data encryption.

Encryption in Transit (TLS 1.3)

All API traffic encrypted with TLS 1.3. HSTS headers enforced with 2-year max-age, includeSubDomains, and preload directives.

Role-Based Access Control

RBAC via API key scopes (govern, audit, risk, scan). Organization-level isolation with multi-tenant data boundaries.

API Key Authentication

Prefixed API keys (gl_xxx) with SHA-256 hashing, scoped permissions, and per-key usage tracking. Dual auth with JWT fallback.

JWT Token Auth with Expiration

Short-lived JWT access tokens with cryptographic verification. Secure password hashing with bcrypt (salted, adaptive work factor).

Non-Root Docker Containers

Multi-stage Docker builds running as non-root user. Health checks, minimal attack surface, and no privileged escalation paths.

Hash-Chained Audit Ledger

SHA-256 hash-chained records with genesis hash from GOVERNLAYER_GENESIS. Each entry stores previous_hash and current_hash for tamper detection.

Rate Limiting per Plan Tier

Redis-backed rate limiting: Free (20 rpm), Starter (100 rpm), Pro (500 rpm), Enterprise (2000 rpm). Prevents abuse and ensures fair usage.

CORS Restrictions

Origin locked to governlayer.ai. Methods restricted to specific HTTP verbs. Headers limited to Authorization, Content-Type, X-API-Key.

Security Headers

HSTS with preload, Permissions-Policy (camera/mic/geo disabled), secure Content-Type handling, and X-Frame-Options enforcement.

Compliance Coverage

Frameworks Supported

GovernLayer provides automated compliance checks and report generation for major regulatory frameworks.

SOC 2
Type II Readiness
ISO 27001
Info Security Mgmt
NIST AI RMF
AI Risk Management
EU AI Act
AI Regulation
GDPR
Data Protection
HIPAA
Health Data Privacy
Operational Controls

Data, Incident Response, and Vendor Management

Data Handling Practices

  • All data encrypted at rest (AES-256) and in transit (TLS 1.3)
  • Multi-tenant data isolation with organization-scoped access boundaries
  • Local inference option ensures sensitive data never leaves client premises
  • Automated data retention policies with configurable expiration windows
  • No hardcoded secrets; all configuration via environment variables (pydantic-settings)
  • Database migrations tracked via Alembic with version history
  • Webhook payloads signed with HMAC-SHA256 for integrity verification

Incident Response Plan

  • Detection: Behavioral drift monitoring, MITRE ATLAS threat analysis, real-time anomaly scoring
  • Triage: Automated severity classification via 6-dimension deterministic risk scoring
  • Escalation: LangGraph conditional edges trigger human-in-the-loop review for high-risk decisions
  • Containment: Rate limiting and API key revocation for compromised credentials
  • Forensics: Immutable hash-chained audit ledger provides tamper-evident investigation trail
  • Recovery: Automated rollback with Railway deployment management
  • Communication: Webhook notifications dispatched to registered endpoints on incident events

Vendor Management

  • LLM Providers: Groq, OpenRouter (500+ models), and local Ollama assessed for data handling compliance
  • Infrastructure: Railway (SOC 2 compliant PaaS) for hosting, managed PostgreSQL with automated backups
  • Payments: Stripe (PCI DSS Level 1) for billing; no card data stored on GovernLayer servers
  • Privacy Controls: Local-first inference via Ollama eliminates third-party data exposure for sensitive workloads
  • Monitoring: Usage metering middleware tracks per-request latency and resource consumption by vendor
  • Contracts: Data Processing Agreements (DPAs) maintained with all cloud LLM providers

Request Our SOC 2 Report

Get a detailed copy of our SOC 2 Type II readiness assessment, including control mappings, evidence packages, and auditor correspondence.

Request SOC 2 Report

Reports provided under NDA. Typical turnaround: 1-2 business days.