SOC 2 Security Overview
Compliance status: The controls described below are implemented in the production codebase. SOC 2 Type I audit engagement is underway — report expected Q3 2026. For NDA-gated security documentation, contact hello@creatorlayer.eu.
Creatorlayer is designed with security and compliance as core engineering requirements, not afterthoughts. This page summarises the security posture, current controls, and SOC 2 compliance roadmap.
To request a copy of the SOC 2 report (when available) or to ask questions about security practices, email hello@satoshiframework.com.
Trust Services Criteria
SOC 2 is organized around five Trust Services Criteria. Here is how Creatorlayer addresses each:
| Criterion | Status | Description |
|---|---|---|
| Security (CC) | Controls designed (not audited) | Core controls in place: authentication, RBAC, rate limiting, audit logging, SAST, input validation |
| Availability (A) | Controls designed (not audited) | Health check endpoint, Scalingo SLA, Redis connection monitoring |
| Processing Integrity (PI) | Controls designed (not audited) | Zod + AJV schema validation on all inputs; TypeScript strict mode; migration-controlled schema |
| Confidentiality (C) | Controls designed (not audited) | Data classification policy; trade secret headers; field-level controls for Risk Tape data |
| Privacy (P) | Controls designed (not audited) | GDPR consent management; erasure within 30 days; creator Privacy Center |
Current Security Controls
Authentication and Access Control
- All API access requires a SHA-256 hashed API key — keys are never stored in plaintext
- Role-based access control with three roles:
lender,gdpr_admin,admin - Principle of least privilege: each role accesses only the endpoints required for its function
- Access keys are immediately revocable; deactivation takes effect on the next request
Transport Security
- TLS enforced on all connections via HSTS headers (managed by
helmet.js) - Minimum TLS 1.2; enforced at the Scalingo infrastructure level
- No plaintext HTTP accepted on production endpoints
Application Security
helmet.jswith strict Content Security Policy, X-Frame-Options DENY, and HSTS- Request payload capped at 10 KB to mitigate denial-of-service via large payloads
- CORS allowlist — only approved origins accepted
SemgrepSAST runs on every pull request (OWASP Top 10 + custom rules)- Input validation via Zod (TypeScript) and AJV (JSON Schema)
Rate Limiting
- Per-lender rate limiting enforced via Redis, scoped to each plan tier
- Prevents API abuse, credential stuffing, and scraping
Audit Logging
- All API requests to sensitive endpoints are logged to an immutable
audit_logstable in PostgreSQL - Each log entry captures:
user_id,action,ip_address,user_agent,request_id,response_status_code,data_classification,duration_ms,created_at - Audit logs are retained for 7 years per the Data Retention Policy
- Indexes on
timestamp,user_id,action, anddata_classificationenable efficient evidence queries
Vulnerability Management
- Semgrep SAST on every pull request
npm auditin CI pipeline- Critical CVEs remediated within 7 days; high CVEs within 30 days
- Dependencies reviewed quarterly
Data Classification
Creatorlayer classifies data into four tiers:
| Tier | Label | Examples |
|---|---|---|
| 1 | Public | Documentation, marketing |
| 2 | Internal | Source code, architecture |
| 3 | Confidential | API keys, OAuth tokens, lender data |
| 4 | Restricted | Risk Tape JSONB, scoring algorithms, GDPR-subject data |
All Restricted data accesses are logged with data_classification = 'Restricted' and subject to additional controls.
Sub-processors
The following third-party sub-processors handle Creatorlayer data. Each is subject to its provider's standard terms:
| Sub-processor | Role | Data Location |
|---|---|---|
| Scalingo SAS | Cloud hosting, PostgreSQL, Redis | France (EU) |
| Resend | Transactional email | USA (SCCs) |
| GitHub (Microsoft) | Source control, CI/CD | USA (SCCs) |
| YouTube OAuth | USA (SCCs) | |
| Stripe | Payment OAuth | USA (SCCs) |
Sub-processor changes are announced with 30 days' notice per the DPA terms.
Compliance Roadmap
| Milestone | Target |
|---|---|
| Security policy documentation complete | Q2 2025 |
| SOC 2 Type I audit engagement | Q3 2025 |
| SOC 2 Type I report issued | Q1 2026 |
| SOC 2 Type II observation period begins | Q1 2026 |
| SOC 2 Type II report issued | Q1 2027 |
| ISO 27001 certification | Q2 2026 (see ISO 27001 Alignment) |
Regulatory Compliance
The following regulations may be applicable. Formal assessment is planned with legal counsel.
| Regulation | Applicability |
|---|---|
| GDPR (EU 2016/679) | All creator personal data; CNIL supervisory authority |
| EU AI Act (Regulation 2024/1689) | Risk Tape credit scoring — may be high-risk AI under Article 6 + Annex III |
| FiDA (Financial Data Access) | Creator financial data access flows |
| ESMA Securitization Rules | 5-year minimum retention on Risk Tape data |
| EU Trade Secrets Directive (2016/943) | Scoring algorithm source code and methodology |
Request the SOC 2 Report
Once the SOC 2 Type I report is issued, it will be available to prospective and current lender customers under NDA.
To request the report or ask questions about security controls:
Email: hello@satoshiframework.com Subject: SOC 2 Report Request — [Your Company Name]
Security inquiries are answered within 2 business days.