VinReach

SOC 2-ready

Last updated: April 19, 2026

VinReach runs controls aligned with the SOC 2 Trust Service Criteria today. Formal Type II attestation has not been issued yet; when it is, we will post the final report + any bridge letters here.

Status

Pre-audit, controls operational. Policies + evidence are in place; Type II audit engagement starts with the pilot-window observation period.

Controls implemented

Security (CC6)

  • TLS 1.2+ on every public endpoint. HSTS preload on app.vinreach.ai.
  • AES-256 at-rest encryption via managed Postgres.
  • KMS-wrapped secret storage for dealer credentials + platform API keys.
  • Clerk-managed auth with MFA available; super-admin actions are second-factor gated.
  • Row-level security on every tenant-scoped table; RLS test suite runs in CI.
  • Impersonation sessions are time-boxed (2 hour cap), reason-required, and write-blocked — logged immutably.

Availability (A1)

  • Vercel edge + multi-region serverless runtime.
  • Neon Postgres managed failover + point-in-time restore.
  • Bright Data + Firecrawl + ScrapingBee + R2 photo cache fallback cascade on the crawler path.

Confidentiality (C1)

  • Per-org data segmentation via RLS + orgId scoping.
  • Sub-processor list reviewed quarterly. See /subprocessors.
  • Dealer-CMS credentials + email provider keys are never logged in plaintext.

Processing integrity (PI1)

  • Every outbound send is gated on a compliance + inventory + frequency check before dispatch.
  • Advisory locks on send dispatch prevent double-delivery under concurrency.
  • Consent state flows monotonically — opt-outs survive merges and regenerations.

Privacy (P-criteria, AICPA)

  • CPRA-compliant opt-out + GPC signal honor.
  • CAN-SPAM unsub honored within 10 minutes platform-wide.
  • Data subject access + deletion workflow in the admin console.
  • Retention policy: 18 months for outbound + reply history, then purged unless extended under a paid plan.

Audit schedule

  • Internal readiness review: complete.
  • Formal Type I attestation: not yet engaged.
  • Formal Type II attestation: not yet engaged. Observation window is planned to open with pilot operations.

No bridge letter or attestation report has been issued at this time. CISO / security teams that need a pre-audit security questionnaire, control narrative, or architecture walk-through can request one via /contact.