Our security commitments
We treat the data you trust us with as if it were our own. Every control on this page exists to protect that trust.
SOC 2 readiness: we follow AICPA Trust Services Criteria across all five categories. Internal control matrix and policies are audit-ready and reviewed annually.
Active controls
CC6 · Access
MFA on every admin path
TOTP-based multi-factor on every operator account. SMS-only is not accepted.
CC6 · Access
Least-privilege roles
Role-based access · quarterly access reviews · 24-hour deprovisioning SLA.
CC8 · Change
PR-gated production changes
Branch protection · CODEOWNERS-required review · CI gates · git-signed history.
A1 · Availability
Daily backups · quarterly restore drill
Hourly snapshots + daily fulls · 30-day hot retention · tested restores quarterly.
C1 · Confidentiality
TLS in transit · encrypted at rest
TLS 1.2+ enforced · AES-256 column-level encryption for sensitive data classes.
CC7 · Monitoring
Append-only audit log
Every authentication event, admin action, sensitive read, and webhook is logged.
CC9 · Vendors
DPAs with every subprocessor
Every vendor handling confidential data has a DPA in place.
CC7 · Incident
72-hour breach notification
Documented IR plan · severity matrix · 72h notification SLA.
P1 · Privacy
DSAR portal
Access · export · correct · delete your data via account portal · 30-day SLA.
Responsible disclosure
If you believe you've found a vulnerability, email security@valuetovictory.com.
- 72-hour acknowledgment SLA
- Don't publicly disclose before we've had reasonable chance to investigate (typically 90 days)
- Don't pivot or exfiltrate beyond demonstrating the issue
Audit & compliance posture
| Framework | Status | Last review |
|---|---|---|
| SOC 2 Type II readiness | Documented controls · audit prep ongoing | 2026-04-29 |
| GDPR | DSAR · DPA template · subprocessor list live | 2026-04-29 |
| CCPA / CPRA | Privacy notice · opt-out paths | 2026-04-29 |
| State breach laws (US 50) | Notification matrix · 72h SLA | 2026-04-29 |