Compliance & Certifications
Compliance & Certifications
We don't hold SOC 2 or ISO 27001 certifications yet, but our controls map to both frameworks and our infrastructure runs entirely on certified providers. Here's exactly where we stand.
Tatvam Cloud Solutions, LLP | March 2026
1. Current Compliance Status
| Certification | WiserReview Status | Infrastructure Provider Status |
|---|---|---|
| SOC 2 Type II | On our roadmap | Azure (SOC 2), MongoDB Atlas (SOC 2), AWS (SOC 2), Cloudflare (SOC 2) |
| ISO 27001 | On our roadmap | Azure (ISO 27001), MongoDB Atlas (ISO 27001), Cloudflare (ISO 27001), AWS (ISO 27001) |
| Penetration Testing | Third-party engagement planned March–April 2026 | Cloudflare WAF provides continuous security monitoring |
| PCI DSS | Not in scope (no card data) | Chargebee (PCI DSS Level 1) handles all billing |
| GDPR | Aligned: automated data deletion implemented, data subject rights supported | All providers GDPR compliant |
2. SOC 2 Trust Service Criteria: Control Mapping
We don't hold a SOC 2 Type II report yet. The table below maps our existing controls to each criteria:
Security (Common Criteria)
| SOC 2 Criteria | WiserReview Control |
|---|---|
| CC6.1 — Logical access controls | JWT token-based authentication for all API access; RBAC with Admin/Editor/Viewer roles |
| CC6.2 — System access authentication | Bcrypt password hashing (cost factor 12); OAuth 2.0 for platform integrations; Cloudflare Turnstile CAPTCHA |
| CC6.3 — Access authorization | Role-based permissions per workspace; least-privilege OAuth scopes for platform integrations |
| CC6.6 — Boundary protection | Cloudflare WAF + DDoS protection; MongoDB Atlas IP whitelisting; Docker container isolation |
| CC6.7 — Data transmission security | TLS 1.2+ enforced on all endpoints; HTTPS everywhere |
| CC6.8 — Unauthorized software prevention | Docker containers with pinned dependencies; Azure Container Registry with authenticated access |
| CC7.1 — Vulnerability detection | Cloudflare WAF managed rulesets; rate limiting on API endpoints |
| CC7.2 — Anomaly monitoring | Sentry error tracking; Slack real-time alerts; health-check endpoints; latency monitoring (>5s threshold) |
| CC7.3 — Security incident response | Documented incident response process; Slack alerting; 72-hour breach notification commitment |
| CC8.1 — Change management | GitHub Actions CI/CD pipeline; code review process; Docker multi-stage builds |
Availability
| SOC 2 Criteria | WiserReview Control |
|---|---|
| A1.1 — Processing capacity | Azure App Services auto-scaling; horizontal scaling under load |
| A1.2 — Recovery objectives | MongoDB Atlas automated backups with point-in-time recovery; replica sets with automatic failover |
| A1.3 — Recovery testing | Azure multi-region capable infrastructure; Cloudflare CDN with 300+ global edge locations |
Confidentiality
| SOC 2 Criteria | WiserReview Control |
|---|---|
| C1.1 — Confidential data identification | Workspace-level data isolation; sensitive fields encrypted with AES before storage |
| C1.2 — Confidential data disposal | Data deletion on account closure; GDPR SHOP_REDACT webhook for automated cleanup |
Processing Integrity
| SOC 2 Criteria | WiserReview Control |
|---|---|
| PI1.1 — Processing accuracy | Azure Service Bus with retry and dead-letter handling; input validation on API endpoints |
| PI1.2 — Error detection | Comprehensive error logging with context; automated monitoring via Sentry |
Privacy
| SOC 2 Criteria | WiserReview Control |
|---|---|
| P1.1 — Privacy notice | Privacy policy published; data collection purposes documented |
| P3.1 — Data collection limitation | Data minimization — only data required for review management collected |
| P4.1 — Data use limitation | No data sold to third parties; processing only for stated service purposes |
| P6.1 — Data subject rights | GDPR rights supported: access, rectification, deletion, portability, objection |
| P8.1 — Data retention | Defined retention policies; automatic deletion on account closure |
3. ISO 27001 Annex A: Control Mapping
How our practices map to ISO 27001 Annex A:
| Annex A Control | WiserReview Implementation |
|---|---|
| A.5 — Information security policies | Security practices documented in this document set |
| A.6 — Organization of information security | Security Officer serves as security lead; role-based access internally |
| A.8 — Asset management | Infrastructure managed via Azure portal; Docker images in Azure Container Registry |
| A.9 — Access control | JWT authentication; RBAC; bcrypt passwords; OAuth 2.0 with least privilege |
| A.10 — Cryptography | AES-256 at rest; TLS 1.2+ in transit; bcrypt for passwords; AES for sensitive fields |
| A.12 — Operations security | Sentry monitoring; automated health checks; error audit trails; CI/CD deployments |
| A.13 — Communications security | TLS 1.2+ on all endpoints; Cloudflare WAF; network isolation for databases |
| A.14 — System acquisition, development, and maintenance | GitHub Actions CI/CD; Docker multi-stage builds; encrypted secrets management |
| A.16 — Information security incident management | Real-time Slack alerts; Sentry error tracking; documented incident response process |
| A.17 — Business continuity | Azure 99.95% SLA; MongoDB Atlas replica sets; automated backups; auto-scaling |
| A.18 — Compliance | GDPR-aligned data processing; automated data deletion via platform events; sub-processor transparency; breach notification commitment |
4. Penetration Testing & Vulnerability Assessment
Current Security Measures
- Cloudflare WAF: Managed rulesets providing protection against OWASP Top 10 vulnerabilities, SQL injection, XSS, and other common attack vectors
- DDoS Protection: Cloudflare's automatic L3/L4/L7 DDoS mitigation
- Rate Limiting: API-level rate limiting to prevent brute-force and abuse
- Bot Protection: Cloudflare Turnstile and intelligent bot detection
- Container Isolation: Docker containers limit blast radius of any potential compromise
Planned Activities
Third-Party Penetration Test: March–April 2026
We are engaging an independent security firm to conduct a formal penetration test and vulnerability assessment. Results and remediation actions will be shared with enterprise customers upon request.
Automated Vulnerability Scanning
Planning to implement automated dependency and container vulnerability scanning in the CI/CD pipeline.
5. Policies & Procedures
Until formal certification is in place, here's where our security documentation lives:
| Policy Area | Documentation |
|---|---|
| Data Privacy & Protection | Documented on this site |
| Infrastructure Security | Documented on this site |
| Access Control | JWT + RBAC + OAuth 2.0 (see Infrastructure Security) |
| Incident Response | See Infrastructure Security, Section 8.2 |
| Business Continuity | Azure auto-scaling + MongoDB Atlas HA + automated backups |
| Change Management | GitHub Actions CI/CD with code review |
| Vendor Management | See Data Privacy, Section 6 (Sub-Processors) |
| Encryption | AES-256 at rest, TLS 1.2+ in transit (see Infrastructure Security) |
Contact
For compliance inquiries or to request detailed documentation:
Tatvam Cloud Solutions, LLP
[email protected]