Privacy Policy Terms of Service Security Policy Refund Policy

Security Policy

Last updated: January 15, 2025

Our Commitment to Security

At Sotabox, security is not just a feature—it's fundamental to everything we build. We understand that you trust us with your most sensitive business information, and we take that responsibility seriously. This Security Policy outlines the measures we take to protect your data and maintain the integrity of our platform.

1. Infrastructure Security

1.1 Cloud Infrastructure

Sotabox is hosted on enterprise-grade cloud infrastructure provided by leading cloud service providers (AWS, Google Cloud) that maintain the following certifications:

  • SOC 1/2/3 compliance
  • ISO 27001 certification
  • PCI DSS Level 1 compliance
  • HIPAA eligibility

1.2 Network Security

Our infrastructure is protected by multiple layers of network security:

  • Enterprise-grade firewalls with strict ingress/egress rules
  • DDoS protection and mitigation
  • Intrusion detection and prevention systems (IDS/IPS)
  • Regular vulnerability scanning and penetration testing
  • Network segmentation and isolation

1.3 Physical Security

Our cloud providers maintain strict physical security controls including 24/7 security personnel, biometric access controls, video surveillance, and environmental controls to protect against physical threats.

2. Data Encryption

2.1 Encryption at Rest

All customer data stored in our systems is encrypted using AES-256 encryption, one of the strongest encryption standards available. This includes:

  • Documents and files
  • Database records
  • Backup files
  • Log files containing sensitive information

2.2 Encryption in Transit

All data transmitted between your devices and our servers is protected using TLS 1.3 encryption. We enforce HTTPS for all connections and implement HTTP Strict Transport Security (HSTS) to prevent downgrade attacks.

2.3 Key Management

Encryption keys are managed using industry-standard key management services with automatic key rotation. Customer encryption keys are stored separately from encrypted data and are never exposed in plaintext.

3. Access Control

3.1 Authentication

We implement robust authentication mechanisms to protect your account:

  • Strong password requirements with complexity rules
  • Multi-factor authentication (MFA) support
  • Single Sign-On (SSO) integration for Enterprise customers
  • SAML 2.0 and OAuth 2.0 support
  • Session management with automatic timeout

3.2 Authorization

Access to data and features is controlled through role-based access control (RBAC):

  • Granular permission settings for team members
  • Principle of least privilege enforcement
  • Audit logging of all access and changes
  • Regular access reviews and certification

3.3 Employee Access

Sotabox employees have strictly limited access to customer data:

  • Access is granted only on a need-to-know basis
  • All access is logged and monitored
  • Background checks are conducted for all employees
  • Security awareness training is mandatory

4. Data Protection

4.1 Data Isolation

Customer data is logically isolated to ensure that no customer can access another customer's data. We use separate database schemas and strict access controls to maintain data isolation.

4.2 Data Retention

We retain customer data only for as long as necessary to provide our services or as required by law. Upon account termination or request, customer data is securely deleted within 30 days, with complete purging from backups within 90 days.

4.3 Data Backup

We maintain regular automated backups of all customer data:

  • Daily incremental backups
  • Weekly full backups
  • Geographically distributed backup storage
  • Regular backup restoration testing
  • Encrypted backup files

4.4 AI and Machine Learning

We do not use your data to train AI models. Your documents and content are processed solely to provide you with the requested services. AI processing is performed in isolated environments, and your data is not shared with or used to improve models for other customers.

5. Application Security

5.1 Secure Development

Our development practices follow industry best practices:

  • Secure Software Development Lifecycle (SSDLC)
  • Code reviews for all changes
  • Static and dynamic application security testing (SAST/DAST)
  • Dependency vulnerability scanning
  • Regular security training for developers

5.2 Vulnerability Management

We proactively identify and address security vulnerabilities:

  • Continuous automated vulnerability scanning
  • Annual third-party penetration testing
  • Bug bounty program for responsible disclosure
  • Rapid patching of critical vulnerabilities

6. Incident Response

6.1 Incident Detection

We employ 24/7 monitoring to detect security incidents:

  • Security Information and Event Management (SIEM)
  • Anomaly detection and alerting
  • Real-time threat intelligence feeds
  • Automated incident correlation

6.2 Incident Response Process

Our incident response team follows a documented process:

  • Immediate containment and assessment
  • Root cause analysis
  • Remediation and recovery
  • Post-incident review and improvement

6.3 Breach Notification

In the event of a security breach affecting customer data, we will:

  • Notify affected customers within 72 hours of confirmation
  • Provide details about the nature and scope of the breach
  • Describe the measures taken to address the breach
  • Offer guidance on steps customers can take to protect themselves

7. Compliance and Certifications

7.1 SOC 2 Type II

Sotabox has achieved SOC 2 Type II certification, demonstrating our commitment to security, availability, processing integrity, confidentiality, and privacy. Our SOC 2 report is available to customers and prospects under NDA.

7.2 GDPR Compliance

We comply with the General Data Protection Regulation (GDPR) for customers in the European Union, including:

  • Data Processing Agreements (DPA) available upon request
  • EU data residency options for Enterprise customers
  • Support for data subject access requests
  • Privacy by design principles

7.3 Other Compliance

We maintain compliance with applicable regulations and can support customers with specific compliance requirements, including CCPA, HIPAA (with BAA for Enterprise customers), and industry-specific regulations.

8. Business Continuity

8.1 Disaster Recovery

We maintain comprehensive disaster recovery capabilities:

  • Multi-region deployment for high availability
  • Automatic failover capabilities
  • Recovery Point Objective (RPO) of 1 hour
  • Recovery Time Objective (RTO) of 4 hours
  • Regular disaster recovery testing

8.2 Service Level Agreement

We commit to 99.9% uptime for our services, with status updates available at our public status page. Enterprise customers may negotiate enhanced SLAs with dedicated support.

9. Security for Enterprise Customers

Enterprise Plus customers have access to additional security features:

  • Custom data residency options
  • Dedicated infrastructure options
  • Custom security configurations
  • Enhanced audit logging and reporting
  • Security review and assessment support
  • Direct access to security team

10. Reporting Security Issues

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to:

Email: security@sotabox.com
PGP Key: Available upon request

We ask that you:

  • Provide detailed information about the vulnerability
  • Allow reasonable time for us to address the issue before public disclosure
  • Do not access or modify other users' data
  • Act in good faith to avoid privacy violations and service disruption

We commit to acknowledging receipt within 24 hours and providing regular updates on our progress.

Contact Us

For security-related questions or to request our SOC 2 report, please contact:

Email: security@sotabox.com
Address: 123 Innovation Drive, Suite 400, San Francisco, CA 94105