SOC 2 Aligned

Security you can trust.

How we protect your data and maintain the security of our platform.

Last updated: December 2025

SOC 2 Security Aligned

We operate a SOC 2 Security-aligned security program with documented policies, enforced controls, and supporting evidence.

Infrastructure & Data Protection

Enterprise-grade security at every layer.

Cloud Hosting

Production systems hosted on ISO 27001 certified infrastructure in the EU

Network Security

All traffic encrypted via TLS 1.2+; databases isolated on private networks

Access Control

Multi-factor authentication required for all infrastructure access

Encryption at Rest

Database encryption and encrypted backups via Active Record Encryption

Secrets Management

Credentials stored in SOC 2 certified secrets manager, never in code

File Security

All uploaded files scanned for malware before processing

Application Security

Defense in depth for your compliance data.

Authentication

Secure password hashing (bcrypt), optional SAML SSO for enterprise

Authorization

Role-based access control with jurisdiction-level data isolation

Session Security

Secure, HTTP-only cookies with automatic expiration

Vulnerability Scanning

External penetration testing, automated dependency scanning, and security updates

Operational Security

Secure processes from development to production.

Change Management

All changes deployed through version-controlled CI/CD pipelines

Incident Response

Documented procedures for security incident detection and response

Vendor Management

Critical vendors evaluated for security certifications (SOC 2, ISO 27001)

Business Continuity

Regular automated backups with tested recovery procedures

Vendor Security

We carefully select vendors based on their security posture.

Service	Certification
Cloud Storage	SOC 2 Type II
Email Delivery	SOC 2 Type II
Secrets Management	SOC 2 Type II
Authentication (SSO)	SOC 2 Type II
Infrastructure	ISO 27001

Compliance

Our security program is designed to meet the requirements of:

SOC 2 Type I (Security Trust Services Criteria)

California Consumer Privacy Act (CCPA)

General Data Protection Regulation (GDPR) principles

Security Requests

For security questionnaires, penetration test reports, or detailed security documentation:

security@citycycle.app

To report a security vulnerability, email us at the address above. We take all reports seriously and will respond promptly.