SOC 2 Compliance

We adhere to the SOC 2 principles of Security, Availability, and Confidentiality, which guide how we manage and protect customer data in line with industry best practices.

SOC 2, developed by the American Institute of Certified Public Accountants (AICPA), is one of the most respected and comprehensive frameworks for evaluating the handling of sensitive customer information. It is based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy.

Our technical architecture, operational safeguards, and internal procedures are designed in alignment with SOC 2 requirements to meet these principles. This includes ongoing efforts to maintain controls that prevent unauthorized access, ensure service reliability, and protect the privacy of your data.

We are continuously evaluating and improving our practices in accordance with SOC 2 expectations. For further inquiries or to request documentation, please contact us at compliance@andonpulse.com.

Network and System Security

Our infrastructure is securely hosted on Amazon Web Services (AWS), a globally trusted cloud provider known for its robust security measures, including physical safeguards, redundancy, and continuous auditing against recognized compliance standards.

All communications between your devices and our services are encrypted using Transport Layer Security (TLS) version 1.3, ensuring that data in transit is protected against interception. In addition, all stored data is encrypted using AES-256, a military-grade standard adopted by governments and enterprises worldwide.

To reduce risk exposure, we apply security patches and updates regularly across all environments. Our security monitoring strategy includes log aggregation, audit trail validation, and anomaly detection systems powered by both automated tools and manual oversight. These systems allow us to identify and respond to suspicious activity in real time.

System Reliability

Resilience and uptime are top priorities for our infrastructure design. We maintain a fault-tolerant system that incorporates redundant components and infrastructure best practices.

A formal disaster recovery and business continuity plan is in place, ensuring services can be quickly restored in the event of a critical failure or emergency. We run regular recovery exercises to validate our procedures and continuously refine them based on evolving scenarios and infrastructure changes.

Operational teams monitor all critical services, system health indicators, and availability metrics. Their focus is to ensure consistent platform performance and to proactively mitigate any disruptions before they affect customers.

Data Protection

Your data is a valuable asset, and we treat it as such by implementing strict controls over access, storage, and usage.

Each customer’s data is stored in a separate database instance, further enhancing data isolation and limiting exposure. All access to customer data is controlled through role-based access policies and governed by the principle of least privilege.

We store only essential metadata, including issue titles, issue fields, historical activity records, pull request identifiers, associated branches, and review event history. Access to this data is limited to employees who require it to perform specific job functions, such as investigating support issues. Access occurs only when necessary and is always logged.

All user activity related to production systems is logged, monitored, and regularly audited. Additionally, all user accounts and permissions are reviewed on a recurring basis to ensure continued compliance with access policies.

Our production systems are configured to maximize security through hardened configurations, routine vulnerability scans, and automated update tools that keep our stack current with the latest defenses.

Data Usage

We handle data responsibly, in accordance with our Privacy Policy, which outlines the scope and legal basis for our data processing practices.

To deliver our services, we collect and process metadata related to your organization’s activities in tools like GitHub and Jira. This includes data such as issue and pull request information, but does not include your source code. While we may request access to repository metadata for functionality, we never store source code.

All data is physically hosted in secure AWS data centers located in the United States. Any personal metadata, such as usernames and email addresses, may be shared with authorized subprocessors to support service functionality. These subprocessors are contractually bound by GDPR-compliant agreements, and a full list is available upon request.

If you wish to delete your data permanently, you may contact our customer support team at any time, and we will ensure full and secure removal of your records.

Application Security

Security is deeply embedded in the way we develop software.

Our development teams use modern programming languages, libraries, and frameworks known for their secure-by-design philosophy. Common security-related HTTP headers are enforced throughout our web applications to prevent vulnerabilities such as clickjacking, XSS, and data injection attacks.

Our CI/CD pipelines include static code analysis tools that automatically scan each commit and pull request for security vulnerabilities. We also stay current with third-party dependencies by applying updates weekly. All changes are reviewed and tested by qualified engineers before being deployed to production.

We perform regular threat modeling and security reviews to proactively identify potential risks at the architectural and implementation levels.

Logging and Monitoring

We operate comprehensive observability systems to detect anomalies, track system behavior, and respond swiftly to incidents.

Our production infrastructure is instrumented with detailed logging mechanisms that capture system events, user activity, access logs, and error traces. These logs feed into centralized monitoring tools, where they are analyzed for irregular behavior.

Anomaly alerts are automatically triggered and escalated to our incident response team, which is trained to triage and resolve issues with precision and speed. Post-incident reviews are conducted to prevent recurrence and strengthen our infrastructure.

Development Workflow

Our development processes are built to ensure product quality, operational stability, and security.

All development work is conducted in isolated, non-production environments. We never use customer data in development or staging environments.

Code is managed through a version-controlled system (GitHub), with a strict policy requiring all changes to be peer-reviewed before being merged. Our CI/CD pipeline enforces automated testing, code linting, and deployment controls to prevent unauthorized or untested changes from reaching production.

Engineers are encouraged to follow security best practices throughout the software development lifecycle, from planning to maintenance.

Employees

People are central to our security posture, and we invest in hiring, training, and retaining personnel who uphold our standards.

All employees receive security onboarding and annual refresher training covering topics such as password hygiene, phishing prevention, device security, and safe development practices. Engineers specifically undergo additional training in secure coding and vulnerability mitigation.

Security practices enforced across the company include laptop disk encryption, two-factor authentication for all work tools, mandatory use of password managers, and a strict policy against storing any customer data on local devices.

Employee access is granted based on roles and is revoked promptly during offboarding procedures. Security awareness is embedded in our company culture and considered a key performance metric.