$BUILD.Store
Trust

Security & privacy

Provenance is a system. Every action attributed. Every payout receipted. Members hold their own data.

Attestation

SOC 2 and ISO/IEC 27001:2022. Type I lands three months after production launch. Type II at twelve.

Send us your VSA, CAIQ, or SIG Lite. We'll fill it.

What the platform does

Every change, on the record

SOC 2 CC7.2 · ISO 27001 A.12.4

Sign-ins, permission changes, compensation decisions, recognitions, canonizations. Append-only trail: actor, action, before/after state. Production revokes UPDATE and DELETE on the app database role; replica shipped to WORM within one business day. Twelve months hot. Seven years cold on financial records.

Authority follows the work

SOC 2 CC5.2 + CC5.3 · ISO 27001 A.9.2

Every admin action, server-checked. Discovery gated separately from tier. Production splits admin into finance, membership, moderation. Quarterly review.

First names, in public

SOC 2 C1.1

Full names, emails, legal identity: admin only. Public routes: first name. Members control their discoverability. DMs stay cooperative-internal. External clients never see talent contact details.

Compensation with receipts

SOC 2 CC7.2 · Processing Integrity

Every base release, bonus decision, revenue split — a distinct audit entry with the gate rationale. Client rating, PM rating, peer composite, whichever applied. Talent sees the full record on wallet.

Your data, your terms

SOC 2 P5.1 · GDPR Art. 15 + 17 · CCPA §1798.100 + 105

Export the JSON. Erase the account. Erasure runs a 30-day soft-delete then hard-delete; financial records retained per business-records law. Both requests audit-logged.

Self-service (Members) →

Subprocessors, named

ISO 27001 A.15.1 · GDPR Art. 28

Every third party we share data with is on the registry. New ones get 30 days advance notice to Members. Every production subprocessor carries a signed DPA.

Subprocessor Registry →

Landing at production

Infrastructure hardening ships with the deploy:

Encryption

TLS 1.3 at the edge. HSTS with preload. Managed Postgres encrypted at rest. S3 SSE. KMS keys, annual rotation.

Backup + DR

PITR ≥ 14 days. Daily off-region snapshot, 90-day retention. Restore drills quarterly.

Vulnerability management

Dependabot. Weekly npm audit in CI. SCA on main. Critical CVEs patched within 7 days.

Incident response

Severity ladder + communication tree. Public status page for SEV1/SEV2. Post-incident retros filed publicly, with redactions.

Change management

Branch protection on main. Review required from a non-author on any audit-log-writing path. CI: typecheck, test, lint.

Anomaly detection

Alerts on failed-sign-in bursts, unusual admin action rates, any hard-delete verb. Reviewed weekly.

Policies

The words we bind ourselves to:

Questions

Engagement questions: your account admin. Policy questions: security@buildstore in production, /contact in sandbox.

Auditors: the control-by-control mapping is at /admin/compliance (auth required); the long-form audit is at deliverables/compliance/soc2-iso27001-readiness.md.