Honesty statement. StackV has not yet undergone a SOC 1/2/3 audit and holds no SOC report or ISO 27001 certificate. This document describes our actual security controls and our roadmap toward an independent SOC 2 examination. We will never represent an unaudited posture as a certification — and we put that commitment in writing here. Clients requiring an audited report today should treat this document as a vendor-security questionnaire response.
1. Who we are and what we touch
StackV is a small, senior engineering studio (Pune, India / remote) building production AI agents, automation workflows, RAG systems, and growth infrastructure. In most engagements we access: client cloud accounts (scoped), CRM and database records, communication content routed through workflows, and API keys for third-party services. We design every engagement so the client owns the stack — repos, infrastructure, and data stay in or return to client control.
2. Security controls in place today
Identity and access: MFA enforced on all production and client-facing accounts; unique named accounts; role-based least privilege; access reviewed at project milestones and revoked at offboarding within 24 hours.
Secrets: client credentials and API keys live in a secrets manager / encrypted vault, never in source code, tickets, or chat; rotation on personnel change or suspected exposure.
Encryption: TLS 1.2+ for all data in transit; encryption at rest on managed databases and backups (provider-managed AES-256 class).
Environment separation: dev/staging/production isolation; production personal data is not pulled into development without anonymisation or explicit client instruction.
Engineering hygiene: version control with mandatory review for production changes; dependency pinning; CI checks including prompt-regression evals; kill switches and rate limits on autonomous agents from day one.
Monitoring: centralised error tracking, uptime monitoring, and audit logging on workflow executions and production access; alerting to on-call.
Backups and recovery: automated backups with defined rotation (max 90 days); restores tested on engagement handover.
Vendor security: sub-processors (see DPA Annex 2) selected for security posture; data-protection terms flowed down; transfers from the EEA/UK/Switzerland safeguarded by SCCs.
People: confidentiality undertakings signed by everyone touching client work; security/privacy onboarding; background of all contractors known to founders (small, named teams by design).
Incident response: documented runbook; client notification within 48 hours of a confirmed breach affecting their data; post-incident reviews with corrective actions.
3. AI-specific safeguards
Human-in-the-loop defaults for consequential actions (sending, deleting, paying, publishing) unless the client signs off on full autonomy for a bounded action set.
Offline evaluation harnesses and regression fixtures before model or prompt changes ship; behaviour diffs reported, not vibes.
Prompt-injection surface review for agents that read untrusted content (inboxes, web pages); tool calls typed, allow-listed, and logged.
Model-provider data controls: API tiers with no-training-on-inputs settings used where available; zero-retention options requested where offered and required by the client.
4. Compliance posture
GDPR / Swiss FADP: we sign our DPA (Art. 28) with every client whose projects involve personal data; SCCs incorporated for EEA/UK/Swiss transfers; sub-processor transparency and 14-day change notice.
India DPDP Act 2023: grievance-redressal contact published in our Privacy Policy; processor-style obligations mirrored in our DPA.
EU AI Act: we track obligations relevant to the systems we build and document the client's deployer responsibilities in each SOW.
We are happy to complete client security questionnaires (CAIQ, SIG-Lite, or bespoke) as part of procurement.
5. SOC 2 readiness roadmap
Target framework: SOC 2 (Trust Services Criteria: Security; Availability and Confidentiality as optional categories), via an independent licensed CPA firm.
Phase 1 — Foundation (now): controls above operating; policies formalised in writing (access, incident response, vendor management, SDLC, data retention).
Phase 2 — Gap assessment: engage a readiness platform/auditor for a gap analysis against TSC; remediate findings; deploy continuous-compliance monitoring.
Phase 3 — SOC 2 Type I: point-in-time examination of control design. Target: within [6–9] months of entity registration.
Phase 4 — SOC 2 Type II: 3–12 month observation window evidencing operating effectiveness. Target: within [12–18] months.
Until a report exists, the words “SOC 2” on our materials refer only to this roadmap, never to a held certification.
6. Shared-responsibility model
Security is shared. StackV is responsible for the controls above within systems we build and operate. The client remains responsible for: lawfulness of its data and campaigns, access governance on its own accounts, configuration choices it instructs, end-user transparency, and human review of AI output used in consequential decisions. The split for each engagement is documented in the SOW and DPA.
7. Contact and disclosure
Security questions, questionnaires, or vulnerability reports: stackv@stackv.online (please use “SECURITY” in the subject). We acknowledge vulnerability reports within 2 business days and do not pursue good-faith researchers. This document is reviewed at least annually and on material change.