Security & Trust Center
SaaS Factory is built for enterprises that have security review requirements. This page documents our security controls, compliance posture, sub-processor list, and how to access compliance documentation for procurement.
Last updated: June 2025 · Questions? security@saasfactory.ai
Security Controls
Built to pass your security review
Security is not a feature we bolt on. Every product built on SaaS Factory inherits these controls from the platform infrastructure from day one.
Encryption at Rest
AES-256-GCM encryption on all sensitive fields — GitHub tokens, API keys, PII. Neon Postgres volumes are encrypted at the storage layer.
Encryption in Transit
TLS 1.3 enforced on all connections. HSTS with 1-year max-age. Certificate pinning on mobile SDKs.
Access Control & RBAC
Role-based access on every API endpoint. Project-level ownership model. Row-Level Security (RLS) in Postgres prevents cross-tenant data leaks.
Immutable Audit Log
Every state-changing operation is written to an append-only audit log with actor, timestamp, and resource ID. 2-year retention for SOC 2.
Vulnerability Management
Automated dependency scanning on every PR. OWASP Top-10 checklist validated by the security agent. CVE triage SLA: 24 h critical, 72 h high.
Vendor Security Review
All sub-processors have DPAs in place. Third-party access is reviewed quarterly. Anthropic, Vercel, Neon, Stripe, and GitHub all hold SOC 2 reports.
Data Isolation
Multi-tenant isolation via Postgres RLS. Enterprise customers get a dedicated database namespace. No co-mingling of production data across tenants.
Backups & Recovery
Automated daily snapshots with 30-day retention. Point-in-time restore to any second in the last 24 hours. Tested recovery quarterly.
Security Incident Response
Documented IR plan with <1 h detection, <4 h containment targets. Affected customers notified within 72 h per GDPR Article 33.
Infrastructure Hardening
Vercel edge network with WAF, DDoS mitigation, and rate limiting. Neon Postgres isolated VPC. No direct internet access to database layer.
Uptime & SLA
99.9% uptime SLA for Enterprise customers. Real-time status at status.saasfactory.ai. Historical incident archive published.
Penetration Testing
Annual third-party penetration test. Internal red-team exercises on every major release. Reports available to Enterprise customers under NDA.
SOC 2 Trust Service Criteria
All five trust categories covered
Our SOC 2 Type II audit covers the full AICPA Trust Service Criteria framework. Below is the current control status across all five categories.
Sub-Processors
Our third-party data processors
All sub-processors hold DPAs with SaaS Factory and have been reviewed for SOC 2 or equivalent certification. We maintain this list and notify customers of changes with 30 days’ notice.
| Processor | Purpose | Region | Certifications | DPA |
|---|---|---|---|---|
| Anthropic | AI model inference — pipeline agent reasoning | USA | SOC 2 Type II | |
| Vercel | Application hosting, serverless runtime, CDN | Global (USA primary) | SOC 2 Type IIISO 27001 | |
| Neon | Postgres database hosting | USA / EU | SOC 2 Type II | |
| Stripe | Payment processing, subscription billing | USA | SOC 2 Type IIPCI DSS Level 1 | |
| GitHub | Source control, CI/CD, PR pipeline | USA | SOC 2 Type IIISO 27001 | |
| Inngest | Background job orchestration, cron scheduling | USA | SOC 2 Type II | |
| Resend | Transactional email delivery | USA | SOC 2 Type II |
To be notified of sub-processor changes, email security@saasfactory.ai and ask to join our sub-processor change notification list.
Compliance Documents
Documentation for your procurement team
The documents below are typically required during enterprise security reviews. Reach out to get started — we aim to turn around NDA-gated documents within 1 business day.
SOC 2 Type II Report
Full audit report available to Enterprise customers and prospects under NDA. Covers the Common Criteria (Security), Availability, Confidentiality, Processing Integrity, and Privacy trust service categories.
Data Processing Agreement (DPA)
Standard DPA based on the EU Standard Contractual Clauses (SCCs). Covers GDPR Article 28 controller–processor obligations. Pre-signed version available for download.
Business Associate Agreement (BAA)
HIPAA Business Associate Agreement available for Enterprise customers operating in healthcare verticals. Contact our compliance team to execute.
Penetration Test Summary
Annual third-party penetration test executive summary. Covers web application, API, and infrastructure layers. Full report available under NDA.
Security Questionnaire (CAIQ / SIG Lite)
Pre-filled CSA CAIQ and SIG Lite questionnaires for security review programmes. Last updated 2025.
Privacy Policy
GDPR-compliant privacy policy covering data collection, processing, retention, sub-processors, and data subject rights.
Data Residency
Your data stays where regulations require
Choose your database region at project creation. Data at rest never leaves your selected region. Backups are stored in the same region.
Additional regions available on Enterprise plans. Contact sales@saasfactory.ai for dedicated infrastructure.
Responsible Disclosure
Security vulnerability reporting
We take security reports seriously. If you discover a vulnerability, please report it responsibly and we will work with you to address it quickly.
Ready to complete your security review?
Our security team is ready to answer questionnaires, provide compliance documentation, and execute DPAs and BAAs for Enterprise procurement. Typical turnaround: 1 business day.