Security & Compliance Center
LiteSOC is built with security at its core. From infrastructure to application layer, we implement industry best practices to protect your data.
Security Audit Passed
97% ScoreComprehensive audit completed February 24, 2026
Infrastructure Security
Enterprise-grade cloud infrastructure
SOC 2 Type 1 Ready
ComplianceOur infrastructure and processes are designed to meet SOC 2 Type 1 compliance requirements for security, availability, and confidentiality.
Enterprise Data Centers
InfrastructureHosted on AWS and Vercel infrastructure with ISO 27001 certified data centers, geographic redundancy, and 99.99% uptime SLA.
256-bit AES Encryption
EncryptionAll data at rest is encrypted using AES-256 encryption. Data in transit is protected with TLS 1.3, the latest encryption standard.
DDoS Protection
ProtectionEnterprise-grade DDoS mitigation through Cloudflare and Vercel Edge Network, protecting against volumetric and application-layer attacks.
Data Protection
How we safeguard your sensitive information
- Automatic PII detection and masking (emails, names, IPs)
- API key auto-redaction (whsk_*, x-api-key headers)
- JWT token masking in request/response logs
- Password and secret detection with automatic removal
- Session ID and cookie value redaction
- Database-enforced multi-tenant isolation
- No cross-organization data access possible
- Policies applied at query execution time
- Protection against application-layer bugs
- SHA-256 hashed storage (irreversible)
- Keys shown only once at creation
- Instant key regeneration capability
- Automatic key rotation reminders
Structured Logging with Auto-Redaction
Our logging infrastructure automatically detects and masks sensitive data patterns before they reach any storage system. This includes email addresses, API keys, passwords, JWT tokens, and other PII.
user@example.com→u***@***.comwhsk_abc123xyz→whsk_***Access Control
Authentication, authorization, and session management
- TOTP authenticator app support (Google, Authy, etc.)
- Secure recovery code generation
- MFA enforcement available for Enterprise
- Rate-limited verification attempts
- Secure HTTP-only session cookies
- Automatic session expiration (configurable)
- View and revoke active sessions
- Device and location tracking
- Sign out from all devices instantly
Full access including billing, user management, and organization deletion
Manage settings, API keys, integrations, and view all security data
Read-only access to dashboards, events, and alerts
Auditability
Complete visibility into all administrative actions
100% Administrative Action Logging
Every administrative action is captured with timestamp, actor, IP address, and detailed change information.
Exportable Audit Logs
Export your complete audit trail in CSV or JSON format for compliance reporting and external analysis.
Tamper-Evident Records
Audit logs are append-only and protected by Row Level Security, ensuring integrity of historical records.
90-Day Retention (Enterprise)
Enterprise plans include 90-day audit log retention with extended retention available upon request.
Vulnerability Management
Proactive security scanning and patching
Automated Dependency Scanning
Continuous automated scanning of all dependencies for known vulnerabilities using GitHub Dependabot and Snyk.
Static Code Analysis
Automated code scanning on every commit to detect security issues, code smells, and potential vulnerabilities.
Responsible Disclosure Program
We welcome security researchers to report vulnerabilities through our responsible disclosure program.
Regular Security Updates
Critical security patches are deployed within 24 hours. Regular dependency updates on a weekly cadence.
Compliance & Certifications
Industry standards and regulatory compliance
SOC 2 Type 1 Ready
Point-in-time control assessment ready
SOC 2 Type 2 Ready
Operational effectiveness assessment ready
PDPA Ready
Malaysia Personal Data Protection Act 2010
GDPR Ready
EU General Data Protection Regulation
Cyber Security Act 2024
Malaysia Cyber Security Act [Act 854]
Data Residency Options
APAC, EU, or US data storage available
Responsible Disclosure Policy
We take the security of LiteSOC seriously. If you discover a vulnerability, please report it to us privately and give us a reasonable amount of time to address it before any public disclosure. We will not pursue legal action against researchers who follow this policy in good faith.
Report a VulnerabilityHow to report
- Email security@litesoc.io
- Include a clear description of the issue and affected component
- Provide step-by-step reproduction steps or a PoC
- Include the version(s) affected if known
- Let us know if you would like public credit or prefer to remain anonymous
Response timelines
- Acknowledgement: within 48 hours
- Initial triage: within 5 business days
- Critical / High: patch within 7–14 days
- Medium / Low: patch within 30–90 days
- We will keep you updated at least once per week until resolved
In scope
- litesoc.io and api.litesoc.io
- Authentication, session management, and access control
- API key handling and multi-tenant data isolation
- Node.js, Python, and PHP SDKs
Out of scope
- —Social engineering or phishing attacks
- —Denial of service attacks
- —Third-party services or infrastructure we do not control
Safe harbor
We consider security research conducted under this policy to be authorised. We will not pursue legal action against researchers who:
- Act in good faith and avoid privacy invasion or data destruction
- Report findings promptly and do not disclose publicly before we patch
- Do not access or modify data belonging to other users
Researchers who are credited may be listed on our acknowledgements page.
Have Security Questions?
We're happy to answer questions about our security practices or provide additional documentation for enterprise customers.
LiteSOC is operated by
Rubiest Development
Unit 17.2, Level 17, Wisma Sunway, 1 Jln Tengku Ampuan Zabedah C9/C,
Seksyen 9, 40100 Shah Alam, Selangor, Malaysia