# LiteSOC — Security & Compliance Center

> Built with security at its core. From infrastructure to application layer, we implement industry best practices to protect your data.

- **Website:** https://litesoc.io/security
- **Security Audit Score:** 97% (February 24, 2026)
- **Responsible Disclosure:** https://litesoc.io/acknowledgements

## Trust Badges

- 256-bit AES Encryption
- Row Level Security (RLS)
- PII Auto-Redaction
- MFA Support
- 100% Audit Logging

## Infrastructure Security

### SOC 2 Type 1 Ready

Our infrastructure and processes are designed to meet SOC 2 Type 1 compliance requirements for security, availability, and confidentiality.

### Enterprise Data Centers

Hosted on AWS and Vercel infrastructure with ISO 27001 certified data centers, geographic redundancy, and 99.99% uptime SLA.

### 256-bit AES Encryption

All data at rest is encrypted using AES-256 encryption. Data in transit is protected with TLS 1.3, the latest encryption standard.

### DDoS Protection

Enterprise-grade DDoS mitigation through Cloudflare and Vercel Edge Network, protecting against volumetric and application-layer attacks.

## Data Protection

### Structured Logging with Auto-Redaction

Our server-side logging system automatically detects and masks sensitive data before it reaches any log storage.

- Automatic PII detection and masking (emails, names, IPs)
- API key auto-redaction (whsk_*, x-api-key headers)
- JWT token masking in request/response logs
- Password and secret detection with automatic removal
- Session ID and cookie value redaction

### Row Level Security (RLS)

PostgreSQL Row Level Security ensures complete data isolation between tenants at the database layer.

- Database-enforced multi-tenant isolation
- No cross-organization data access possible
- Policies applied at query execution time
- Protection against application-layer bugs

### Secure API Key Storage

API keys are one-way hashed using SHA-256 before storage. Original keys cannot be recovered from our database.

- SHA-256 hashed storage (irreversible)
- Keys shown only once at creation
- Instant key regeneration capability
- Automatic key rotation reminders

## Access Control

### Multi-Factor Authentication (MFA)

TOTP-based two-factor authentication with authenticator app support and secure recovery codes.

- TOTP authenticator app support (Google, Authy, etc.)
- Secure recovery code generation
- MFA enforcement available for Enterprise
- Rate-limited verification attempts

### Session Management

- Secure HTTP-only session cookies
- Automatic session expiration (configurable)
- View and revoke active sessions
- Device and location tracking
- Sign out from all devices instantly

### Role-Based Access Control (RBAC)

| Role | Description |
|---|---|
| Owner | Full access including billing, user management, and organization deletion |
| Admin | Manage settings, API keys, integrations, and view all security data |
| Viewer | Read-only access to dashboards, events, and alerts |

## Audit Trail

- 100% Administrative Action Logging — every action captured with timestamp, actor, IP address, and change details
- Exportable Audit Logs — CSV or JSON format for compliance reporting
- Tamper-Evident Records — append-only logs protected by Row Level Security
- 90-Day Retention (Enterprise) — extended retention available upon request

## Vulnerability Management

- **Automated Dependency Scanning:** Continuous scanning using GitHub Dependabot and Snyk
- **Static Code Analysis:** Automated scanning on every commit
- **Responsible Disclosure Program:** We welcome security researchers to report vulnerabilities
- **Regular Security Updates:** Critical patches deployed within 24 hours

## Compliance Status

| Standard | Status |
|---|---|
| SOC 2 Type 1 | Ready |
| SOC 2 Type 2 | Ready |
| PDPA (Malaysia) | Ready |
| GDPR (EU) | Ready |
| Cyber Security Act 2024 (Malaysia) | Ready |
| Data Residency Options | Available (APAC, EU, US) |