Trust center · Compliance
Compliance posture & disclosure
Where we are today, where we're going, and how to engage the platform if you've found a vulnerability or need pen-test evidence for a security review.
Certifications & attestations
We list certifications that are either in place or actively in progress. We don't list certifications we have no plans to pursue — silence on a certification means "not on the current roadmap", not "not applicable".
| Standard | Status | Expected |
|---|---|---|
| GDPR Article 28 DPA with SCCs ready to sign | In place | Today — see /legal/dpa |
| SOC 2 Type I A third-party audit that checks our security controls exist and are designed right, at a point in time — Trust Services Criteria (security) | In progress | Q3 2026 (audit window) |
| SOC 2 Type II The follow-up audit that watches those same controls actually operating over a 6-month observation window | Planned | Q1 2027 |
| Independent pen-test A penetration test: paid ethical hackers attack the platform to find holes before real attackers do — annual external assessment | Scheduled | First engagement Q3 2026 |
Pen-test report access
The most recent pen-test executive summary is publicly downloadable below. The full report — including the fix status of every finding and the complete testing method, nothing blacked out — is available under NDA to prospective customers who are actively evaluating us.
Public summary
Executive summary (PDF)
Findings count by severity, remediation status, scope of the engagement. No sensitive technical detail.
Available after first engagement (Q3 2026)
Full report (NDA-gated)
Request under NDA
Email security@driftstack.dev with your company name and use case. We respond within one business day with the NDA. Approved requests receive a private download link that works for 7 days (a signed URL).
Vulnerability disclosure policy
Found a security issue? Please report it privately. We triage every disclosure within one business day and update you through to resolution.
- Where to report
- security@driftstack.dev. If your finding involves exposed customer data, encrypt your report with PGP, the standard for encrypted email — our public PGP key, and the fingerprint that lets you verify it, will be published on this page once available.
- What we commit to
-
- Acknowledge receipt within 2 business days.
- First assessment (triage) + an initial severity rating within 5 business days.
- Status updates at least every 14 days until resolution.
- We ask reporters to keep the finding private for 90 days from the report while we fix it (the coordinated disclosure window), extendable on mutual agreement.
- Public credit on this page (with reporter consent) once the finding is remediated.
- Safe-harbour
-
We won't pursue legal action against good-faith security
research on the platform's public surface (api.driftstack.dev,
driftstack.dev, app.driftstack.dev) provided you:
- Don't access, change, or copy out (exfiltrate) other customers' data.
- Don't slow down or break the service for others — no load tests against the live platform (prod).
- Report findings privately before public disclosure.
How much warning you get before we change vendors (the sub-processor change SLA)
Sub-processors are the outside companies that handle customer data for us. Per GDPR Article 28(2) and Annex 3 of our data-processing agreement (DPA), we provide 30 calendar days' notice for any material change to the sub-processor list (additions or replacements). Customers can object via email to support@driftstack.dev during the notice window.
The live list is published at /trust/sub-processors and material changes will also be available as an RSS feed you can subscribe to — the subscribe link appears on that page once the feed ships.
Audit log retention
Per our written retention policy (internal decision record ADR-006):
- Customer-facing audit log —
retained per the customer's tier (see
/docs/audit-log),
surfaced via the dashboard +
GET /v1/account/audit-log. Includes every action taken on the customer's account (creating API keys, creating profiles, billing changes). - Admin audit log — internal-only retention of 365 days for every privileged admin action. Customer access requires legal process or explicit customer consent.
- Access logs — kept 90 days in quick-access storage ("hot"), then 1 year in archive ("cold"), so investigators can reconstruct exactly what happened if an incident is ever examined (forensic timeline reconstruction). Read-restricted to the on-call engineer + compliance lead.