Trust Center / Compliance
Compliance status
An honest, dated read of where IlluminateRisk stands on the certifications and frameworks that customer security reviewers ask about. We update this page when the status changes — not when we hope it will.
Downloaded from https://illuminaterisk.ai/trust/compliance.
SOC 2 Type I
IlluminateRisk is preparing for a SOC 2 Type I attestation report covering the Security trust services criterion. We've designed our controls against the AICPA Trust Services Criteria from the start; the audit work formalizes evidence collection and gets us to a report a customer's security team can read instead of taking our word for it.
Target window: initial readiness assessment Q3 2026; observation period and Type I report Q4 2026. We'll publish the report summary here when issued; the full report ships under NDA on request.
What's already in place against SOC 2
| Control area | Status |
|---|---|
| CC6.1 — Logical access (auth + RBAC + tenant scoping) | In place |
| CC6.6 — TLS for all customer traffic; HSTS preload | In place |
| CC6.8 — Malware scanning of every upload (ClamAV, fail-closed) | In place |
| CC7.1 — Vulnerability identification (NuGet advisories, host patching) | In place |
| CC7.2 — Document QC + acknowledgement event before findings can be produced | In place |
| CC7.3 — Audit log of privileged actions (immutable, structured) | In place |
| CC9.2 — Subprocessor management and change notice | In place |
What's still being formalized
| Control area | Status |
|---|---|
| CC1.x — Documented governance + organization-chart evidence | In progress |
| CC2.x — Risk-assessment process and recurrence | In progress |
| CC6.2 — Personnel-access provisioning + offboarding evidence | In progress |
| CC7.4/CC7.5 — Incident-response runbook + tabletop exercises | In progress |
| Centralized log aggregation / SIEM | Planned |
| Customer-facing status page (/status) | Skeleton live |
GDPR & CCPA
Our data-handling practices are designed to support customers who have obligations under the GDPR, the UK GDPR, and the California Consumer Privacy Act. Specifically:
- A Data Processing Addendum is available; Standard Contractual Clauses are signed for transfers out of the EEA / UK.
- Subject-access, rectification, deletion, and portability requests are supported on a thirty-day SLA.
- Subprocessors are listed with categories of data and regions; thirty-day advance notice precedes any change.
- Sub-processor flow-down terms are written into the DPA.
Out of scope (today)
We don't claim certifications we don't hold. The following are not in scope and we won't pretend otherwise:
- HIPAA / PHI: IlluminateRisk is not engineered as a HIPAA Business Associate. Customers should not upload Protected Health Information.
- PCI DSS (for the platform itself): we don't store cardholder data; tokenization is delegated to Stripe (PCI DSS Level 1). Customers who upload PCI-scope data into their cases are responsible for the resulting scope expansion on their side.
- FedRAMP / IL-x government clouds: not in scope; we run in commercial AWS.
- ISO 27001: not formally certified. Our security-program design is informed by 27001 and SOC 2 controls but the certification itself is not on the current roadmap.
Frameworks we reference (without claiming certification)
- NIST CSF 2.0: the structure of our incident-response and risk-management process is mapped to the Identify / Protect / Detect / Respond / Recover taxonomy.
- OWASP ASVS 4.x: we treat ASVS L2 as a baseline for the web application surface.
- CIS Benchmarks: the Lightsail host's OS hardening references the CIS Amazon Linux 2023 benchmark.
Customer security reviews
During private beta, we respond to security reviews from prospective and active customers on a one-off basis. We do not yet maintain a CAIQ or SIG response. Submit review questions to support@illuminaterisk.ai with your timeline; we typically turn standard questionnaires around within ten (10) business days.
Contact
Compliance and assurance questions: support@illuminaterisk.ai. Legal / DPA: support@illuminaterisk.ai.