# SOC 2 Type I Readiness Summary **Building Code Academy** | Compliance Documentation **Document Version:** 1.0 | **Date:** February 2026 **Classification:** Public --- ## Overview Building Code Academy (BCA) is committed to maintaining the highest standards of security, availability, and confidentiality for our customers' data. This document summarizes our SOC 2 Type I readiness posture across the Trust Services Criteria. ## Infrastructure Partners BCA's infrastructure is built on SOC 2 Type II certified services: | Service | Function | SOC 2 Status | |---------|----------|--------------| | **Vercel** | Application hosting & CDN | SOC 2 Type II Certified | | **Supabase** (AWS) | Database, Authentication, Storage | SOC 2 Type II Certified | | **Stripe** | Payment processing | SOC 2 Type II & PCI DSS Level 1 | | **Upstash** | Rate limiting (Redis) | SOC 2 Type II Certified | | **Resend** | Transactional email | SOC 2 Type II Certified | | **Sentry** | Error monitoring | SOC 2 Type II Certified | ## Trust Services Criteria ### Security (Common Criteria) - **Authentication:** Supabase Auth with SAML 2.0 SSO support, MFA-ready - **Authorization:** Row-Level Security (RLS) policies enforce data isolation per tenant - **Encryption in Transit:** All data transmitted over TLS 1.2+ (HTTPS enforced via HSTS) - **Encryption at Rest:** AES-256 encryption at the database level (Supabase/AWS) - **CSRF Protection:** Double-submit token pattern with HMAC validation - **Rate Limiting:** Upstash Redis-backed rate limiting on all API endpoints - **Content Security Policy:** Strict CSP headers on all responses - **Security Headers:** X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy ### Availability - **Hosting:** Vercel Edge Network with automatic failover and global CDN - **Database:** Supabase (AWS) with automated daily backups and point-in-time recovery - **Uptime Target:** 99.9% availability SLA - **Monitoring:** Sentry for error tracking and performance monitoring - **PWA Support:** Offline capability ensures continued access during network disruptions ### Processing Integrity - **Input Validation:** Zod schema validation on all API endpoints - **Data Consistency:** PostgreSQL ACID transactions with referential integrity constraints - **Audit Trail:** Timestamp columns (created_at, updated_at) on all tables ### Confidentiality - **Data Isolation:** Row-Level Security (RLS) ensures users can only access their own data - **Organization Isolation:** B2B multi-tenant architecture with RLS-enforced boundaries - **API Security:** Service role keys are server-side only, never exposed to clients - **Environment Variables:** All secrets stored in environment variables, never committed to source code ### Privacy - **GDPR Awareness:** Cookie consent banner, clear privacy policy - **Data Minimization:** Only essential user data collected (email, name) - **Right to Delete:** Users can request account deletion via support - **Third-Party Data Processing:** All processors are US-based with appropriate DPAs ## Access Control - **Admin Access:** Limited to authorized personnel with MFA - **Database Access:** Service role keys restricted to server-side API routes only - **Code Review:** All changes reviewed before deployment - **Dependency Management:** Regular dependency audits and updates ## Incident Response - **Monitoring:** Sentry alerts for application errors and performance degradation - **Response:** Security incidents escalated within 24 hours - **Notification:** Affected customers notified within 72 hours per GDPR requirements - **Contact:** security@buildingcodeacademy.org ## Compliance Roadmap | Milestone | Target Date | |-----------|-------------| | SOC 2 Type I Audit | Q3 2026 | | SOC 2 Type II Audit | Q1 2027 | | FedRAMP Authorization (if applicable) | Q4 2027 | --- *For questions about our security posture, contact security@buildingcodeacademy.org*