FeaturesSaaS FactoryUpdated March 11, 2026
Trust Center
Trust Center
SaaS Factory exposes a public Security & Trust Center at /trust. It is a static, unauthenticated page designed to support enterprise procurement, security reviews, and compliance due diligence.
What's on the page
SOC 2 Control Status
All trust service categories are listed with per-control operational status:
| Category | Controls |
|---|---|
| Common Criteria | CC1 – CC9 (Control Environment through Risk Mitigation) |
| Availability | A1.1 – A1.3 |
| Confidentiality | C1.1 – C1.2 |
| Processing Integrity | PI1.1 – PI1.2 |
| Privacy | P1.0, P3.0, P4.0, P5.0, P6.0, P8.0 |
Security Controls
Twelve security controls are documented on the page:
| Control | Summary |
|---|---|
| Encryption at Rest | AES-256-GCM on sensitive fields; Neon Postgres volumes encrypted at storage layer |
| Encryption in Transit | TLS 1.3 enforced; HSTS with 1-year max-age |
| Access Control & RBAC | Role-based access on every API endpoint; Postgres RLS prevents cross-tenant leaks |
| Immutable Audit Log | Append-only log with actor, timestamp, and resource ID; 2-year retention |
| Vulnerability Management | Automated dependency scanning on every PR; CVE SLA: 24 h critical, 72 h high |
| Vendor Security Review | All sub-processors have DPAs; third-party access reviewed quarterly |
| Data Isolation | Multi-tenant RLS; Enterprise customers get a dedicated database namespace |
| Backups & Recovery | Daily snapshots, 30-day retention; PITR to any second in the last 24 h |
| Security Incident Response | IR plan with <1 h detection, <4 h containment; GDPR Art. 33 notification within 72 h |
| Infrastructure Hardening | Vercel WAF, DDoS mitigation, rate limiting; Neon in isolated VPC |
| Uptime & SLA | 99.9% uptime SLA for Enterprise; real-time status at status.saasfactory.ai |
| Penetration Testing | Annual third-party pentest; reports available to Enterprise customers under NDA |
Sub-Processor List
All seven sub-processors are listed with purpose, data region, certifications, and DPA status:
| Sub-processor | Purpose | Region | Certifications |
|---|---|---|---|
| Anthropic | AI model inference | USA | SOC 2 Type II |
| Vercel | Application hosting, CDN | Global (USA primary) | SOC 2 Type II, ISO 27001 |
| Neon | Postgres database hosting | USA / EU | SOC 2 Type II |
| Stripe | Payment processing | USA | SOC 2 Type II, PCI DSS Level 1 |
| GitHub | Source control, CI/CD | USA | SOC 2 Type II, ISO 27001 |
| Inngest | Background job orchestration | USA | SOC 2 Type II |
| Resend | Transactional email | USA | SOC 2 Type II |
Compliance Documents
| Document | Availability |
|---|---|
| SOC 2 Type II Report | Enterprise customers / prospects — request via sales (NDA required) |
| Data Processing Agreement (DPA) | Standard DPA based on EU SCCs (GDPR Article 28) — available on request |
| Business Associate Agreement (BAA) | Available for Enterprise customers with HIPAA-adjacent requirements |
| Responsible Disclosure Policy | Publicly available on the /trust page |
Implementation notes
- Route:
src/app/trust/page.tsx - Auth: None required — fully public
- Database: No queries — purely static/presentational
- Page title:
Trust Center — SaaS Factory - Meta description: Set for enterprise procurement SEO
Requesting compliance documents
The SOC 2 Type II report, DPA, and BAA are not available for self-serve download. Contact the sales team from the /trust page to initiate an NDA and receive the relevant documents.