01 · Certifications & frameworks
Where we are.
| Framework | Status | Target |
|---|---|---|
| SOC 2 Type I | roadmap | readiness assessment Q3 2026 |
| SOC 2 Type II | roadmap | observation window starting Q4 2026 |
| ISO 27001 | roadmap | scoped post SOC 2 Type II |
| GDPR (EU 2016/679) | in place | — |
| Argentina Ley 25.326 (Personal Data Protection) | in place | — |
| HIPAA | on engagement | BAA + controls scoped per healthcare engagement |
| PCI DSS | not applicable | we do not store cardholder data |
02 · SOC 2 roadmap
Quarters, not "soon".
Enterprise customers signed before Type I receive monthly progress updates against the roadmap and have the right to terminate without penalty if a milestone slips by more than two quarters.
03 · GDPR posture
Data subject rights, by implementation.
We act as a data processor for customer-uploaded content. Customers are the data controllers and remain responsible for lawful basis. We provide:
- Article 15 (access) — per-tenant export endpoint returns all stored data in JSON.
- Article 16 (rectification) — tenant-side mutation APIs for every stored entity.
- Article 17 (erasure) — tenant-level destroy endpoint deletes storage and destroys the per-tenant Key Encryption Key, rendering audit-envelope contents permanently unreadable (the hash chain remains verifiable). See /security §03.
- Article 20 (portability) — same as Article 15 export, JSON format.
- Article 32 (security of processing) — see /security for technical and organizational measures.
- Article 33 (breach notification) — 72-hour notification commitment to controllers, written into the DPA.
A Data Processing Agreement (DPA) is provided as part of every enterprise SOW. EU Standard Contractual Clauses (2021) attached where data crosses borders.
04 · Data residency
Where your data lives.
Managed cloud defaults to us-east-1 (AWS, Virginia). For EU residency requirements, deploy in customer VPC (eu-west-1 / eu-central-1) or on-premise — see /deployment. We do not silently replicate customer data across regions.
Sub-processors used in the managed-cloud path are listed in the DPA and include the cloud provider (AWS / Render) and the LLM provider (Google Gemini). Customers can require a specific LLM region or substitute a self-hosted model in VPC / on-prem deployments.
05 · Audit & retention
What we keep and for how long.
| Data class | Default retention | Configurable to |
|---|---|---|
| Audit log (hash-chained) | 7 years | 1–10 years |
| Workflow execution logs | 180 days | 30 days – 3 years |
| Document content (uploaded) | customer-controlled | delete-on-demand |
| RAG embeddings | linked to source documents | auto-purge on source delete |
| System metrics / latency histograms | 90 days aggregated | 1–365 days |
| Backups (managed cloud) | 30 days | up to 7 years |
05.b · Compliance incident tracker (live)
Per-tenant incident surface.
06 · What we send to procurement
In the absence of SOC 2.
On request, enterprise prospects receive:
- A controls attestation letter signed by the CEO listing every control on this page and on /security, with evidence references.
- A completed CAIQ Lite (Cloud Security Alliance Consensus Assessments Initiative Questionnaire).
- A Data Processing Agreement with EU Standard Contractual Clauses attached.
- The SOC 2 roadmap commitment letter, with termination-without-penalty clause if milestones slip.
- An architecture diagram with data-flow boundaries.
- References to the open-source dependencies and their licenses (SBOM on request).
Email compliance@sonodadynamics.com to request the procurement pack. Typical turnaround: 2 business days.
07 · Service Level Agreement
Uptime, response times, credits.
The commitments below are the default SLA written into every enterprise SOW. They are measured monthly, exclude scheduled maintenance announced ≥48h in advance, and are backed by service credits — not open-ended liability.
| Commitment | Target | Measurement |
|---|---|---|
| Platform availability (managed cloud) | 99.5% monthly | successful health-check ratio, 1-min interval |
| API p95 latency (read endpoints) | < 300 ms | rolling 30-day p95 from /metrics |
| Critical incident first response | < 4 business hours | from acknowledged ticket |
| Security incident notification | < 72 hours | from confirmed breach, per DPA Art. 33 |
| Webhook delivery success | > 99% | 2xx responses over 30 days, excl. receiver downtime |
Service credits. If monthly availability falls below target, the customer receives a credit against the following month's fee: 10% credit for 99.0–99.5%, 25% for 95.0–99.0%, 50% below 95.0%. Credits are the sole and exclusive remedy for availability shortfalls and cap at 100% of the monthly fee. If the platform misses the availability target for three consecutive months, the customer may terminate without penalty and receive a pro-rated refund of any prepaid term.
Exclusions. Scheduled maintenance (announced ≥48h ahead, capped at 4h/month), force majeure, customer-caused outages (e.g. revoked credentials, exhausted quota), and outages of third-party dependencies the customer explicitly required (a specific LLM region, an on-prem network) are excluded from the availability calculation.
The full SLA with definitions, the maintenance-window schedule, and the credit-claim procedure is delivered as an annex to the SOW. Request it at compliance@sonodadynamics.com.