Security & privacy
Provenance is a system. Every action attributed. Every payout receipted. Members hold their own data.
SOC 2 and ISO/IEC 27001:2022. Type I lands three months after production launch. Type II at twelve.
Send us your VSA, CAIQ, or SIG Lite. We'll fill it.
What the platform does
Every change, on the record
SOC 2 CC7.2 · ISO 27001 A.12.4Sign-ins, permission changes, compensation decisions, recognitions, canonizations. Append-only trail: actor, action, before/after state. Production revokes UPDATE and DELETE on the app database role; replica shipped to WORM within one business day. Twelve months hot. Seven years cold on financial records.
Authority follows the work
SOC 2 CC5.2 + CC5.3 · ISO 27001 A.9.2Every admin action, server-checked. Discovery gated separately from tier. Production splits admin into finance, membership, moderation. Quarterly review.
First names, in public
SOC 2 C1.1Full names, emails, legal identity: admin only. Public routes: first name. Members control their discoverability. DMs stay cooperative-internal. External clients never see talent contact details.
Compensation with receipts
SOC 2 CC7.2 · Processing IntegrityEvery base release, bonus decision, revenue split — a distinct audit entry with the gate rationale. Client rating, PM rating, peer composite, whichever applied. Talent sees the full record on wallet.
Your data, your terms
SOC 2 P5.1 · GDPR Art. 15 + 17 · CCPA §1798.100 + 105Export the JSON. Erase the account. Erasure runs a 30-day soft-delete then hard-delete; financial records retained per business-records law. Both requests audit-logged.
Self-service (Members) →Subprocessors, named
ISO 27001 A.15.1 · GDPR Art. 28Every third party we share data with is on the registry. New ones get 30 days advance notice to Members. Every production subprocessor carries a signed DPA.
Subprocessor Registry →Landing at production
Infrastructure hardening ships with the deploy:
Encryption
TLS 1.3 at the edge. HSTS with preload. Managed Postgres encrypted at rest. S3 SSE. KMS keys, annual rotation.
Backup + DR
PITR ≥ 14 days. Daily off-region snapshot, 90-day retention. Restore drills quarterly.
Vulnerability management
Dependabot. Weekly npm audit in CI. SCA on main. Critical CVEs patched within 7 days.
Incident response
Severity ladder + communication tree. Public status page for SEV1/SEV2. Post-incident retros filed publicly, with redactions.
Change management
Branch protection on main. Review required from a non-author on any audit-log-writing path. CI: typecheck, test, lint.
Anomaly detection
Alerts on failed-sign-in bursts, unusual admin action rates, any hard-delete verb. Reviewed weekly.
Policies
The words we bind ourselves to:
- Privacy Policy → — what we collect, why, and your rights.
- Cooperative Covenant → — the behavior expected of every Member and Partner.
- Subprocessor Registry → — third parties we share data with.
- All policies →
Questions
Engagement questions: your account admin. Policy questions: security@buildstore in production, /contact in sandbox.
Auditors: the control-by-control mapping is at /admin/compliance (auth required); the long-form audit is at deliverables/compliance/soc2-iso27001-readiness.md.
