Security at POC.ai

All data is encrypted both in transit and at rest. We use TLS 1.2+ for all network communication and AES-256 encryption for stored data, including deployment artifacts, environment variables, and database backups.

• TLS 1.2+ enforced on all endpoints, including API, CLI, and dashboard
• AES-256 encryption at rest for all stored data
• Environment variables encrypted with per-project keys
• Automatic certificate management and rotation

Granular role-based access control (RBAC) ensures the right people have the right level of access. Combined with multi-factor authentication, your account and deployments stay protected.

• Role-based access control with Owner, Admin, Developer, and Viewer roles
• Multi-factor authentication (MFA) with TOTP and WebAuthn support
• Scoped API keys with configurable permissions and expiration
• SSO integration available on Team and Enterprise plans

Every deployment action, configuration change, and access event is logged with an immutable, tamper-proof audit trail. Logs are retained for your configured retention period and can be exported for compliance.

• Immutable logs for every deployment, rollback, and promotion
• User-level tracking for all configuration and access changes
• Export to CSV, JSON, or stream to your SIEM via webhook
• Configurable retention periods (default: 90 days)

Every deployment runs in an isolated environment with no shared tenancy. Environments are provisioned on-demand and torn down after use, minimizing attack surface and preventing cross-tenant access.

• Fully isolated compute environments per deployment
• No shared tenancy — your workloads never co-locate with other customers
• Network-level isolation with strict ingress/egress policies
• Ephemeral build environments destroyed after each build

We are actively working toward SOC 2 Type II certification. Our security program is built on the principles of the Trust Services Criteria, covering security, availability, processing integrity, confidentiality, and privacy.

• SOC 2 Type II audit currently in progress
• Security controls aligned with Trust Services Criteria
• Annual penetration testing by independent third parties
• Formal incident response plan and regular tabletop exercises

We welcome reports from security researchers. If you discover a vulnerability in our platform, please disclose it responsibly so we can address it promptly.

Report security issues to security@poc.ai. We will acknowledge your report within 24 hours and aim to provide an initial assessment within 72 hours. We do not pursue legal action against researchers acting in good faith.

By default, all data is stored and processed in the United States. For organizations with data sovereignty requirements, EU data residency is available on Enterprise plans.

• US data residency by default (US-East and US-West regions)
• EU data residency available on Enterprise plans (EU-West region)
• Data processing agreements (DPAs) available upon request
• GDPR-compliant data handling and processing