Security & Compliance

Your Data Security Is Our Priority

We implement comprehensive security controls and are actively pursuing industry-leading certifications to ensure your feedback data is protected at every level.

SOC 2 Type II Pursuing

ISO/IEC 27001:2022 Pursuing

HIPAA Pursuing

Compliance Certifications

We are actively pursuing the following certifications. Each requires formal third-party audits and we are transparent about our progress toward achieving them.

SOC 2 Type II

Pursuing

Service Organization Control 2 Type II audit evaluates the effectiveness of our security controls over time. We are actively preparing for our SOC 2 Type II examination.

Audit engagement planned for Q3 2026

Trust Service Criteria / Control Domains

Security — Protection against unauthorized access

Availability — System uptime and operational reliability

Processing Integrity — Accurate and complete data processing

Confidentiality — Protection of confidential information

Privacy — Personal information handling per commitments

ISO/IEC 27001:2022

Pursuing

The international standard for information security management systems (ISMS). We are implementing the Annex A controls and preparing for certification audit.

ISMS implementation in progress, certification audit targeted Q4 2026

Trust Service Criteria / Control Domains

Information security policies and organization

Human resource security and awareness training

Asset management and data classification

Access control and cryptography

Physical, environmental, and operational security

Communications and supplier relationship security

Incident management and business continuity

Compliance with legal and contractual requirements

HIPAA

Pursuing

The Health Insurance Portability and Accountability Act sets standards for protecting sensitive patient health information. We are implementing the required administrative, physical, and technical safeguards.

Safeguard implementation in progress, BAA template available upon request

Required Safeguards

Administrative Safeguards — Security management, workforce training, contingency planning

Physical Safeguards — Facility access controls, workstation security, device controls

Technical Safeguards — Access controls, audit controls, integrity controls, transmission security

Breach Notification Rule — Procedures for notifying affected individuals and HHS

Business Associate Agreements (BAA) — Contractual protections for PHI

Minimum Necessary Standard — Limiting PHI access to what is required

Security Controls

These are the security measures currently implemented in the Beacon Analytics platform. Each control is verified and operational.

Authentication & Access Control

OAuth 2.0 / OpenID Connect Implemented

Secure authentication via Manus OAuth with session management

Single Sign-On (SSO) Implemented

SAML 2.0 and OIDC federation with Azure AD, Okta, Google Workspace, and custom providers

Role-Based Access Control (RBAC) Implemented

Granular permissions with admin, member, and custom roles per workspace

API Key Authentication Implemented

Scoped API keys with configurable permissions, rate limits, and revocation

Multi-Factor Authentication (2FA/MFA) Implemented

TOTP-based second factor with backup codes, QR code setup, and configurable password rotation policies

IP Address Allowlisting Implemented

Workspace-level IP restrictions with CIDR range support, admin bypass, and separate enforcement for dashboard and API access

Self-Service Password Reset Implemented

Secure email-based password reset with time-limited tokens, branded emails via SendGrid, and automatic token expiration

Data Encryption

Encryption in Transit (TLS/SSL) Implemented

All data transmitted between clients and servers uses TLS 1.2+ encryption

Encryption at Rest Implemented

Sensitive data encrypted using industry-standard algorithms; passwords hashed with bcrypt (12+ rounds)

Secure Credential Storage Implemented

Integration credentials and API keys stored with encryption; payment data handled by Stripe (PCI DSS Level 1)

Monitoring & Audit

Comprehensive Audit Logging Implemented

All significant actions tracked with user, timestamp, IP address, and change details

Security Event Monitoring Implemented

Real-time monitoring of authentication events, permission changes, and suspicious activity

Uptime Monitoring Implemented

Continuous endpoint monitoring with alerting for service degradation

Rate Limiting Implemented

API rate limiting to prevent abuse and ensure fair usage across all endpoints

Data Privacy & Compliance

GDPR Compliance Implemented

Full data subject rights: access, rectification, erasure, portability, and restriction of processing

CCPA/CPRA Compliance Implemented

California consumer rights: right to know, delete, opt-out, and non-discrimination

Data Export Implemented

Users can export all their data in standard formats at any time

Data Deletion Requests Implemented

Automated processing of data deletion requests with verification and confirmation

Privacy by Design Implemented

Data minimization, purpose limitation, and storage limitation built into every feature

Infrastructure Security

Enterprise Cloud Hosting Implemented

Hosted on enterprise-grade cloud infrastructure with physical security, redundancy, and disaster recovery

Network Isolation Implemented

Database and internal services isolated from public internet access

Automated Backups Implemented

Regular automated database backups with point-in-time recovery capability

DDoS Protection Implemented

Edge-level DDoS mitigation and traffic filtering

Organizational Security

Security Awareness Implemented

Team security awareness practices and secure development guidelines

Incident Response Plan Implemented

Documented incident response procedures with defined roles, escalation paths, and notification timelines

Vulnerability Management Implemented

Regular security assessments, dependency scanning, and vulnerability remediation

Secure Development Lifecycle Implemented

Code review, automated testing, and security-focused development practices

Security Policies & Documentation

Our security program is governed by formal policies that align with ISO 27001, SOC 2, and HIPAA requirements. These documents guide our day-to-day security operations.

Information Security Policy

Defines our commitment to protecting the confidentiality, integrity, and availability of all information assets. Establishes the framework for our information security management system.

Data Classification Policy

Categorizes data into classification levels (Public, Internal, Confidential, Restricted) with handling requirements for each level. Ensures appropriate protection based on sensitivity.

Access Control Policy

Governs how access to systems and data is granted, reviewed, and revoked. Implements the principle of least privilege and separation of duties.

Incident Response Policy

Outlines procedures for identifying, containing, eradicating, and recovering from security incidents. Includes notification timelines compliant with GDPR (72 hours), HIPAA (60 days), and state breach notification laws.

Business Continuity & Disaster Recovery

Ensures critical business functions can continue during and after a disaster. Includes recovery time objectives (RTO), recovery point objectives (RPO), and regular testing procedures.

Acceptable Use Policy

Defines acceptable and prohibited uses of company information systems and resources. Applies to all employees, contractors, and third-party users.

Vendor & Third-Party Risk Management

Evaluates and monitors the security posture of third-party vendors and service providers. Ensures contractual security requirements and regular assessments.

Data Retention & Disposal Policy

Specifies retention periods for different data categories and secure disposal methods. Ensures compliance with legal requirements while minimizing data exposure.

HIPAA Compliance Program

For organizations handling Protected Health Information (PHI), we are implementing the full suite of HIPAA-required safeguards to support healthcare and health-tech customers.

Administrative Safeguards

Security management process
Assigned security responsibility
Workforce security training
Information access management
Security awareness program
Contingency planning
Evaluation procedures

Physical Safeguards

Facility access controls
Workstation use policies
Workstation security
Device and media controls
Disposal procedures
Data backup and storage

Technical Safeguards

Unique user identification
Emergency access procedures
Automatic logoff
Encryption and decryption
Audit controls and logging
Integrity controls
Transmission security (TLS)

Business Associate Agreement (BAA): Organizations requiring HIPAA compliance can request a BAA by contacting us at [email protected]. BAA execution is available for customers on the Command plan.

Responsible Disclosure

We value the security research community and welcome responsible disclosure of vulnerabilities. If you discover a security issue, please report it to our security team.

How to Report

Email security vulnerabilities to [email protected]
Include detailed reproduction steps and potential impact assessment
We will acknowledge receipt within 24 hours and provide updates within 72 hours
We will not pursue legal action against researchers acting in good faith

Questions About Our Security?

Our team is happy to discuss our security practices, compliance roadmap, or specific requirements for your organization. Reach out to schedule a security review.