Your inspection data is your business. We treat it accordingly.
TLS 1.3 in transit
AES-256 at rest
PCI Level 1 (Square)
Regular pen testing
Data Encryption
In transit: All connections to SOP Reports are encrypted using TLS 1.3, the latest and most secure version of the Transport Layer Security protocol. We enforce HTTPS-only connections and use HSTS (HTTP Strict Transport Security) to prevent downgrade attacks.
At rest: All stored data — inspection reports, photos, client information, SOP documents, and account credentials — is encrypted using AES-256 encryption. Database volumes, backups, and file storage all use encryption at rest.
Payment Security
We do not store, process, or transmit raw credit card numbers on our servers. All payment processing is handled by Square, Inc., a PCI DSS Level 1 compliant payment processor — the highest level of certification available. When you enter payment information, it is tokenized by Square's secure elements and never touches our infrastructure.
Square's security practices include: end-to-end encryption of card data, tokenization, fraud monitoring, and SOC 1/2/3 compliance. Learn more about Square security.
Infrastructure Security
Network isolation: Production servers are isolated from development environments. Database servers are not directly accessible from the public internet.
Firewall rules: Strict inbound/outbound rules. Only necessary ports are open.
DDoS protection: Traffic is routed through Cloudflare's network, providing automatic DDoS mitigation.
Regular updates: Operating systems, frameworks, and dependencies are patched on a regular schedule. Critical security patches are applied within 24 hours.
Secrets management: API keys, database credentials, and other secrets are never hardcoded. They are injected via environment variables at runtime and never committed to version control.
Authentication & Access Control
Password hashing: User passwords are hashed using strong, adaptive algorithms (bcrypt/PBKDF2). We never store plaintext passwords.
JWT tokens: Session authentication uses short-lived JSON Web Tokens with automatic refresh.
Role-based access: Fine-grained permissions control what each user can see and do. Technicians only see their own jobs. Admins manage their organization. Super admins manage the platform.
Multi-tenant isolation: Every database query filters by organization_id. PostgreSQL Row-Level Security (RLS) provides an additional safety net.
Rate limiting: Login attempts, password resets, and API endpoints are rate-limited to prevent brute force attacks.
Data Privacy & Ownership
You own your data. Always. We do not sell, rent, or share your inspection data with third parties except as necessary to provide the service (e.g., Square for payments, AI providers for report processing under data processing agreements). See our Privacy Policy for full details.
AI Data Handling
When our AI processes your inspection data for report generation, SOP citation matching, or voice transcription:
Text content is sent to AI providers under data processing agreements that prohibit using your data for model training.
Photographs are processed locally when possible.
No client PII (names, addresses, emails) is sent to AI providers.
Backup & Disaster Recovery
Database backups: Automated daily backups with point-in-time recovery. Backups are encrypted and stored in a separate geographic region.
RPO (Recovery Point Objective): 24 hours (maximum data loss in worst case).
RTO (Recovery Time Objective): 4 hours (time to restore service after catastrophic failure).
Backup testing: Restoration tests are performed monthly to verify backup integrity.
Vulnerability Disclosure
If you discover a security vulnerability in SOP Reports, please report it to security@sopreports.com. We take all reports seriously and will respond within 48 hours. We do not pursue legal action against researchers who act in good faith.
Compliance Status
SOP Reports is a new platform (launched 2026). We are actively working toward formal compliance certifications. Current status:
SOC 2 Type II: In progress — target completion Q4 2026.
PCI DSS: Covered by Square's Level 1 certification for payment processing. Our infrastructure follows PCI DSS best practices.
CCPA: Compliant. See our Privacy Policy for California consumer rights.
GDPR: Privacy controls implemented. DPA available on request.