Skip to main content

Compliance & Security

SOC 2 readiness, data handling practices, and trust standards

SOC 2 Type II Compliance

BankruptcyOps is pursuing SOC 2 Type II certification to demonstrate our commitment to security, availability, processing integrity, confidentiality, and privacy. Our compliance roadmap includes:

Current Status

SOC 2 Type II Audit in preparation (target: Q3 2026)

Trust Service Criteria

  • CC: Security — Access controls, encryption, threat management
  • A1: Availability — Uptime SLAs, disaster recovery, backups
  • PI1: Processing Integrity — Data accuracy and completeness
  • C1: Confidentiality — Encryption, access restrictions, data classification
  • P: Privacy — Data handling, retention, subject access requests

Data Handling Practices

Data Classification

  • Confidential: Case data, debtor PII, attorney work product — encrypted at rest and in transit
  • Internal: Analytics, usage metrics — restricted to firm admins
  • Public: Marketing pages, help documentation — no restrictions

Encryption Standards

  • In Transit: TLS 1.3 (minimum), enforced via HTTPS only
  • At Rest: AES-256 encryption via Supabase PostgreSQL
  • Sensitive Fields: SSN, date of birth, account numbers — encrypted individually
  • Database Backups: Encrypted and retained per Supabase policy (30-day retention)

Access Controls

  • Row Level Security: Supabase RLS policies enforce firm-level data isolation
  • Multi-Tenant Isolation: Firms only see their own cases and data
  • Admin Access: Founder-only admin dashboard with email verification
  • API Authentication: Bearer token required; rate limited to 10 requests/min per IP
  • Session Management: Secure session tokens with 24-hour expiry

Data Retention

  • Active Cases: Retained indefinitely until firm deletion or account closure
  • Audit Logs: Retained for 12 months minimum (compliance requirement)
  • Backups: Automatic daily backups, retained for 30 days by Supabase
  • Session Data: Cleared after 24-hour idle timeout
  • Account Deletion: PII anonymized; audit trail retained for compliance

Security Architecture

Infrastructure

  • Platform: Vercel (edge-deployed Next.js, CDN, DDoS protection)
  • Database: Supabase (managed PostgreSQL, automated backups, point-in-time recovery)
  • API: Next.js API routes with input validation and rate limiting
  • Hosting: SOC 2 compliant infrastructure (Vercel / AWS)

Network Security

  • HTTPS Enforcement: All traffic redirected to TLS 1.3
  • CSP Headers: Content Security Policy prevents XSS and injection attacks
  • HSTS: HTTP Strict Transport Security enforces HTTPS for 1 year
  • X-Frame-Options: Prevents clickjacking (DENY policy)
  • DDoS Protection: Vercel provides edge-level DDoS mitigation

Application Security

  • Input Sanitization: All user inputs sanitized via dedicated library (text, email, SSN, currency)
  • SQL Injection Protection: Parameterized queries via Supabase SDK
  • CSRF Protection: Token-based form validation
  • Rate Limiting: 10 requests/min per IP for AI/API routes
  • API Validation: TypeScript strict mode, request/response schema validation

Audit & Monitoring

  • Audit Logging: All user actions logged (login, case create/update, API calls)
  • Error Tracking: Aggregated error logging and alerting
  • Performance Monitoring: Core Web Vitals tracked for availability
  • Admin Dashboard: Real-time security metrics, failed logins, rate limit hits

Certifications & Standards

Privacy Compliance

  • GDPR compliant (data subject rights, DPA with subprocessors)
  • CCPA compliant (user data export, deletion, opt-out)
  • Attorney-Client Privilege protected (work product confidentiality)

Data Protection

  • HIPAA-adjacent controls (though not covered entity)
  • PCI DSS compliant payment processing (Stripe handles all card data)
  • Encryption at rest and in transit (TLS 1.3, AES-256)

Third-Party Compliance

  • Vercel: SOC 2 Type II certified
  • Supabase: SOC 2 Type II certified, GDPR compliant
  • Stripe: PCI DSS Level 1, SOC 2 certified

Legal Compliance

  • Unauthorized Practice of Law (UPL) disclaimer on all AI output
  • Attorney review required before filing (not automated)
  • Terms of Service specify attorney responsibility

Subprocessors & Third Parties

BankruptcyOps uses the following third-party processors for data handling:

Supabase (Database & Auth)

Data Processing: Stores all case data, firm metadata, and audit logs

Location: US (default), EU (optional)

Certification: SOC 2 Type II, GDPR-compliant

Privacy Policy →

Vercel (Hosting & CDN)

Data Processing: Hosts web application and serves static assets

Location: Distributed (US, EU)

Certification: SOC 2 Type II, GDPR-compliant

Privacy Policy →

Anthropic (AI Analysis)

Data Processing: Processes case data for AI-powered legal analysis

Location: US

Certification: SOC 2 Type II, enterprise privacy controls

Important: Case data sent to Claude API for real-time analysis; not used for model training

Privacy Policy →

Stripe (Payments)

Data Processing: Processes subscription billing and payment information

Location: US

Certification: PCI DSS Level 1, SOC 2 certified

Important: BankruptcyOps does not store credit card data; Stripe handles all payment processing

Privacy Policy →

Plausible Analytics

Data Processing: Privacy-first analytics (no cookies, GDPR-compliant)

Location: EU

Certification: GDPR-compliant, privacy-first design

Privacy Policy →

Incident Response

BankruptcyOps maintains an incident response plan to address security incidents, data breaches, and service disruptions.

Response Timeline

  • Detection (0-4h): Automated alerts and manual monitoring
  • Assessment (4-12h): Determine severity, scope, affected data
  • Notification (12-72h): Notify affected customers and regulators as required
  • Remediation (ongoing): Contain breach, restore service, apply fixes
  • Post-Incident (1-2 weeks): Root cause analysis, process improvements

Contact for Security Issues

To report a security vulnerability or incident, contact:

security@bankruptcyops.com

We commit to responding to all security reports within 24 hours.

SOC 2 Type II Roadmap

Complete (Q1 2026)

Security architecture, encryption, access controls, audit logging, RLS policies, input sanitization, rate limiting

🔄

In Progress (Q2 2026)

Document control procedures, change management process, disaster recovery testing, security training, vendor assessments

📋

Planned (Q3 2026)

SOC 2 Type II audit engagement, 6-month control testing period, independent auditor review, certification completion

Security Questions?

For detailed compliance documentation, security assessments, or audit inquiries, contact our team:

Contact Security Team →