How SimplyScan Protects Your Data: SOC 2 Compliant Processes
SimplyScan is built on SOC 2 Type 2, ISO 27001, and GDPR certified infrastructure. Learn how we protect your scan data with AES-256 encryption, TLS 1.3, and zero-trust security practices.
By Gabriel CA · Kraftwire Software
· 6 min readYour Security Scanner Should Be Secure Too
When you trust a tool to scan your application for vulnerabilities, you're trusting it with sensitive information - your deployment URLs, your codebase structure, and in the case of Pro scans, your source code. That tool should meet the same security standards it's checking for.
SimplyScan is built by Kraftwire Software, and every piece of our infrastructure is built on and exclusively uses **SOC 2 Type 2, ISO 27001:2022 & GDPR certified infrastructure**. These certifications are held by our infrastructure providers - not by Kraftwire Software directly. This isn't a marketing checkbox - it's a deliberate choice to build on the strongest foundations available.
What These Certifications Mean
SOC 2 Type 2
SOC 2 (Service Organization Control 2) Type 2 is an auditing standard developed by the American Institute of CPAs. Unlike Type 1, which evaluates controls at a single point in time, **Type 2 audits evaluate controls over an extended period** - typically 6 to 12 months. This means the infrastructure we build on has been independently verified to maintain consistent security practices over time.
SOC 2 covers five trust service criteria:
**Security** - Protection against unauthorized access
**Availability** - Systems are operational and usable as committed
**Processing integrity** - System processing is complete, valid, and authorized
**Confidentiality** - Information designated as confidential is protected
**Privacy** - Personal information is collected, used, and retained properly
ISO 27001:2022
ISO 27001 is the international standard for information security management systems (ISMS). The 2022 revision is the most current version, covering 93 security controls across four themes: organizational, people, physical, and technological. Our infrastructure provider maintains this certification through annual surveillance audits and a full recertification every three years.
GDPR Compliance
The General Data Protection Regulation governs how personal data of EU residents is collected, processed, and stored. Our infrastructure is GDPR-compliant by design, with data processing agreements, appropriate technical measures, and documented data handling procedures in place.
How We Protect Your Data
Encryption at Rest: AES-256
All stored data - scan results, account information, and metadata - is encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys). AES-256 is the same encryption standard used by governments and military organizations worldwide. Even if someone gained physical access to our storage, the data would be unreadable without the encryption keys.
Encryption in Transit: TLS 1.3
Every data transmission between your browser and our servers uses TLS 1.3 - the latest version of the Transport Layer Security protocol. TLS 1.3 eliminates outdated cipher suites, reduces handshake latency, and provides forward secrecy by default. Your scan data never travels unencrypted.
Row-Level Security (RLS)
Our database implements fine-grained row-level security policies. This means database access controls are enforced at the row level - users can only access their own scan results, not anyone else's. Even if a software bug existed, the database layer itself prevents cross-user data access.
Access Controls
We follow the principle of least privilege across our entire stack. Role-based access controls ensure that systems and team members only have access to what they need. No single individual has unrestricted access to production data.
Continuous Infrastructure Auditing
Our infrastructure providers undergo ongoing independent security audits to maintain their certification compliance. This includes regular penetration testing, vulnerability scanning, and automated security assessments conducted by the providers. On our end, we implement security monitoring and alerting 24/7.
Incident Response
We maintain documented incident response procedures for security events. This includes detection, escalation, containment, investigation, and communication protocols. In the event of a security incident, we follow established procedures to minimize impact and notify affected users as required by applicable regulations.
SOC 2 Standards: Infrastructure vs. Application
**Important distinction:** SimplyScan is built *on* SOC 2 Type 2 certified infrastructure, but Kraftwire Software does not independently hold SOC 2 certification. The certifications belong to our infrastructure providers. However, we follow SOC 2 principles as best practices in our own operations. Here's how we apply these principles - and what they mean for your app too:
Access Control
**Who has admin access to your app? Is Multi-Factor Authentication (MFA) enabled for your team?**
SOC 2 auditors examine who can access production systems, how that access is granted, and whether it's reviewed regularly. At SimplyScan, we follow these principles:
**Role-based access control (RBAC)** is enforced across our entire stack - team members only have access to the systems and data their role requires.
**Multi-Factor Authentication (MFA)** is mandatory for all team accounts with access to production infrastructure, code repositories, and customer data.
**Access reviews** are conducted regularly to ensure former team members and unused accounts are promptly revoked.
**No single individual** has unrestricted access to all production systems - critical actions require approval from multiple parties.
This is something you should audit in your own app too. SimplyScan's Pro scan checks for exposed admin endpoints and misconfigured access controls.
Data Handling
**How is your application storing user data? Are your Row Level Security (RLS) policies correctly configured to stop User A seeing User B's data?**
Data handling is at the core of SOC 2's confidentiality and privacy criteria. For SimplyScan:
**Row Level Security (RLS)** policies are enforced at the database level - not just in application code. Every table containing user data has policies that restrict access to the authenticated user's own records.
**Data classification** is applied to all stored information. Scan results, user credentials, and payment data are treated with different levels of sensitivity and protection.
**Data retention policies** are documented and enforced. Scan data is retained only as long as needed, and users can request deletion at any time.
**Encryption** is applied both at rest (AES-256) and in transit (TLS 1.3), ensuring data is protected throughout its lifecycle.
This is one of the most common failures we find when scanning apps - RLS policies that are either missing entirely or misconfigured to allow cross-user data access. [Run a scan](/) to check yours.
Third-Party Integrations
**Are your connections to authentication providers, payment processors, and external APIs secure?**
SOC 2 requires that third-party integrations meet appropriate security standards. At SimplyScan:
**Stripe** handles all payment processing - we never store, process, or have access to raw card numbers. Webhook signatures are verified on every event to prevent spoofing.
**Authentication providers** (Google and Apple Sign-In) are integrated using industry-standard OAuth 2.0 flows. Tokens are validated server-side, and session management follows security best practices.
**API keys and secrets** for all third-party services are stored encrypted and are never exposed in client-side code or version control.
**Vendor security reviews** are part of our process - we evaluate the security posture of every third-party service before integration.
SimplyScan's Pro scan specifically checks for exposed API keys, leaked secrets in client bundles, and insecure third-party configurations in your app.
Operational Security
**This is the big one. SOC 2 looks at your entire company, not just your code.**
Operational security is where most startups and indie developers fall short. While we do not hold SOC 2 certification ourselves, we adopt SOC 2 operational principles as best practices:
**Background checks** on all team members with access to production systems and customer data.
**Device security** - company devices use full-disk encryption, automatic screen locks, and remote wipe capabilities.
**Security awareness training** for all team members, covering phishing, social engineering, and secure development practices.
**Incident response plan** - a documented, tested procedure for detecting, responding to, and recovering from security incidents. This includes notification procedures for affected users and regulatory bodies.
**Business continuity** - documented disaster recovery procedures with regular testing to ensure service availability.
**Change management** - all production changes go through code review, testing, and staged deployment processes.
This is the area most AI-built apps overlook entirely. Your code might be secure, but if your laptop isn't encrypted or your team shares admin passwords in Slack, SOC 2 compliance is out of reach. SimplyScan can't audit your operational security (no scanner can), but we can ensure the **technical controls** in your application are solid.
What Happens to Your Code During a Scan
Free Scans (URL-based)
Free scans analyze the **publicly served output** of your application - HTML, JavaScript, HTTP headers, and configuration files. This is the same content any visitor to your URL can already see. We don't access anything private. Scan results (findings, score, summary) are stored and associated with the scan ID.
Pro Scans (GitHub Repository)
Pro scans can optionally analyze your public GitHub repository for backend vulnerabilities. When you provide a repo URL:
We fetch your source files during the scan
Files are processed **in memory** during analysis
Source code is **not stored permanently** - it's discarded after the scan completes
Only the scan findings and metadata are retained
Your source code never touches persistent storage. It exists in our system only for the duration of the analysis.
Zero Data Breaches
Since our founding, we have maintained a **zero data breach record**. This is a direct result of our security-first approach - building on certified infrastructure from day one and adopting strong security practices across our operations.
The Bottom Line
We built SimplyScan to find security gaps in your applications. It would be hypocritical to have gaps in our own infrastructure. Every component of our stack - from the database to the edge functions to the file storage - runs on SOC 2 Type 2, ISO 27001:2022 & GDPR certified infrastructure (certifications held by our infrastructure providers) with AES-256 encryption at rest and TLS 1.3 in transit.
Beyond our certified infrastructure, we adopt SOC 2 principles as best practices in our own access controls, data handling, third-party integrations, and operational security - even though we do not independently hold SOC 2 certification. We believe transparency about this distinction is important.
When you scan your app with SimplyScan, your data is protected by enterprise-grade infrastructure and a team committed to security best practices.
Verify Our Claims
Don't take our word for it - scan SimplyScan itself. Run a [free scan](/) on our own deployed application. We practice what we preach.
Related Reading
[How to Secure a SaaS App](/blog/saas-security-guide) - complete security guide for SaaS applications
[Row Level Security (RLS) Policies Explained](/blog/rls-policies-explained) - the database access control that protects user data
[Web App Security Audit Checklist](/blog/security-audit-checklist) - 25 checks before launch