Privacy Policy

Last updated: June 2026

1. Who we are

soc2.sh is operated by Yaw Labs, Inc. ("we", "us", "our"). This policy describes how we collect, use, and protect information when you use the soc2.sh website and platform.

2. Data we collect

[LEGAL REVIEW NEEDED] -- confirm exhaustive data categories with counsel

• Account information: email address, name, company name provided during registration or waitlist signup.
• Integration data: metadata from connected services (AWS, GitHub, Google Workspace) used to generate SOC 2 evidence. We access only what is necessary for compliance evidence collection.
• Usage data: pages visited, actions taken within the platform, browser type, IP address, timestamps.
• Support communications: emails, messages, and any attachments you send us.

3. How we use your data

[LEGAL REVIEW NEEDED] -- confirm legal bases (contract, legitimate interest, consent)

• To provide and operate the soc2.sh compliance platform.
• To collect and present SOC 2 evidence from your connected integrations.
• To communicate with you about your account, the waitlist, and product updates.
• To improve the platform and develop new features.
• To detect and prevent fraud, abuse, and security incidents.

4. Data retention

[LEGAL REVIEW NEEDED] -- define specific retention periods per data category

We retain your data for as long as your account is active or as needed to provide the service. SOC 2 evidence data is retained for the duration required by your audit cycle plus a reasonable buffer period. When you close your account, we delete your data within 90 days, except where retention is required by law or for legitimate business purposes (e.g., billing records).

5. Third-party processors

[LEGAL REVIEW NEEDED] -- finalize processor list and verify DPAs are in place

We use the following categories of third-party service providers to operate the platform:

• Cloud infrastructure: Amazon Web Services (AWS) for hosting and data storage.
• Email delivery: transactional email provider for account and waitlist communications.
• Analytics: privacy-respecting analytics to understand usage patterns.
• Payment processing: for subscription billing (no card numbers are stored on our servers).

All processors are bound by data processing agreements (DPAs) and are selected for their security posture. We do not sell your data to third parties.

6. Data security

We implement technical and organizational measures to protect your data, including encryption at rest and in transit, role-based access controls, audit logging, and regular security reviews. As a SOC 2 compliance platform, we hold ourselves to the same standards we help you meet.

7. Your rights

[LEGAL REVIEW NEEDED] -- confirm applicable jurisdictions (GDPR, CCPA, etc.)

Depending on your jurisdiction, you may have the right to:

• Access and receive a copy of your personal data.
• Correct inaccurate personal data.
• Request deletion of your personal data.
• Object to or restrict processing of your data.
• Data portability.

To exercise these rights, contact us at privacy@soc2.sh.

8. Cookies

The marketing site uses no tracking cookies. The platform application uses strictly necessary session cookies for authentication. We do not use third-party advertising or tracking cookies.

9. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or by posting a notice on the platform. Continued use after changes constitutes acceptance.

10. Contact

[LEGAL REVIEW NEEDED] -- confirm legal entity name and registered address

For privacy questions or data requests, contact us at privacy@soc2.sh.

Yaw Labs, Inc.
[LEGAL REVIEW NEEDED] -- add registered business address