A SOC 2 Type 2 report evaluates an organization's controls over a period of time, assessing their operational effectiveness in meeting the trust services criteria for security, availability, processing integrity, confidentiality, and privacy. It provides detailed assurance to stakeholders that the organization's controls are not only well-designed but also consistently applied and maintained.

This risk assessment report identifies threats and vulnerabilities applicable to. System Name. . It also evaluates the likelihood that vulnerability can be exploited, assesses the impact associated with these threats and vulnerabilities, and identifies the overall risk level.

No Security incident has happened as of yet.

Data classification and handling policies establish a framework for categorizing data based on its sensitivity and importance. These policies dictate the appropriate methods for managing, accessing, and protecting data, ensuring compliance with legal and regulatory requirements. They help organizations safeguard sensitive information, prevent unauthorized access, and maintain data integrity throughout its lifecycle.

Data backup and recovery policies outline the procedures for creating copies of data to protect against loss or corruption and detail the steps to restore data in the event of a failure. These policies ensure data availability and continuity of operations by specifying the frequency of backups, storage locations, and recovery processes. They are essential for minimizing downtime and safeguarding critical information.

Data retention policies define the procedures and guidelines for storing and managing data over a specified period. They ensure compliance with legal, regulatory, and business requirements by outlining how long different types of data should be kept and when they should be archived or deleted. These policies help mitigate risks related to data breaches and optimize data management practices.

Legal compliance audits are systematic reviews conducted to ensure an organization adheres to applicable laws, regulations, and standards. These audits assess the effectiveness of compliance programs, identify areas of non-compliance, and recommend corrective actions. They help organizations mitigate legal risks, maintain regulatory adherence, and demonstrate their commitment to lawful and ethical practices.

Compliance with regulatory requirements involves adhering to laws, regulations, and guidelines relevant to an organization's industry. This ensures that the organization operates within legal boundaries and meets standards for data protection, privacy, and operational practices. Maintaining compliance helps avoid legal penalties, builds trust with stakeholders, and promotes ethical business conduct.

Third-party data processing agreements are contracts between an organization and an external service provider that outline the terms for processing personal data. These agreements specify the responsibilities, security measures, and compliance requirements to ensure the protection and proper handling of data. They help mitigate risks, ensure regulatory compliance, and safeguard the privacy and integrity of the data being processed.

A Privacy Breach Response Plan outlines the procedures an organization must follow in the event of a data breach involving personal information. It includes steps for identifying, containing, and assessing the breach, notifying affected individuals and regulatory authorities, and mitigating future risks. This plan ensures a swift and effective response to minimize harm and maintain compliance with legal and regulatory obligations.

Privacy Impact Assessments (PIAs) are systematic evaluations of how projects, systems, or initiatives affect the privacy of individuals. They identify potential privacy risks and recommend measures to mitigate them, ensuring compliance with privacy laws and regulations. PIAs help organizations safeguard personal information, enhance transparency, and maintain public trust.

Privacy policies are statements that outline how an organization collects, uses, stores, and protects personal information. They inform stakeholders about their rights regarding their data and the measures taken to ensure its confidentiality and security. These policies ensure transparency, build trust, and help organizations comply with privacy laws and regulations.

ThriveStack's infrastructure is hosted by AWS.

Additional information on AWS infrastructure security can be found at https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/infrastructure-security.html

ThriveStack's internal systems access is restricted by stringent access control measures monitored and updated according to industry best practices on a regular basis. Access to internal systems is adherent to the principles of least privilege and separation of duties, subject to regular review by administrators, documented with clear rationales for provisioning and changes, and revoked according to strict termination policies.

We have a strong internal password policy that includes a requirement for MFA . Passwords are required to meet industry-leading complexity requirements and are stored in a company managed password manager.

ThriveStack maintains a rigorously documented Incident Response Plan that serves as our predefined procedure for handling potential security incidents. This plan is systematically reviewed, tested, and approved by appropriate stakeholders on an annual basis to ensure readiness and effectiveness in responding to security incidents.

Personnel perform security and privacy awareness training on an annual basis. Topics covered include: Passwords, Mobile devices, Social Engineering, Physical security, Phishing etc.

To safeguard our infrastructure, ThriveStack utilizes a combination of traditional firewalls. These tools allow us to monitor and control the flow of network traffic, preventing unauthorized access and ensuring data integrity and security.

MFA is enabled for all the users to increase the security levels. The primary objective of multi-factor authentication is to reduce the risk of account takeovers and provide additional security for users and their accounts. Since over 80% of cyber breaches happen due to weak or stolen passwords, MFA can provide added layers of security necessary to protect users and their data.

Both role based and user based access controls are available for the ThriveStack AI product suite.

To protect the confidentiality and integrity of information stored on all employee endpoints, ThriveStack mandates full-disk encryption. Additionally, we continuously monitor endpoint security signals to promptly identify and investigate any anomalous activity.