Trust center.

The documents, controls, and contacts enterprise procurement and security teams need from a vendor. Built so an RFP or vendor questionnaire can reference one URL.

— Documents

Policies, terms, and disclosure

Last reviewed · May 16, 2026

§ 01

What we collect, why, how long we keep it, who we share it with, and the rights you have over it. GDPR + CCPA aligned.

13 sections · last updated May 20, 2026

§ 02

Default terms for the website and the framework engagements run under. SOWs always control when they differ.

19 sections · Vermont law · liability cap

§ 03

Security & Disclosure

How to report a vulnerability, our safe-harbor commitments, SLAs, and the security program behind the platforms we build.

security.txt published · 1-day acknowledgement

— Compliance posture

What we map controls to

Last reviewedMay 16, 2026

We design every engagement so the platform is audit-ready when our client needs it. Specific evidence, controls matrices, and SOC 2 / HIPAA documentation are available under NDA.

SOC 2 Type 2

Aligned · client-led audits supported

Our internal program tracks the AICPA Trust Services Criteria. We have led multiple client engagements to Type 2 attestation under Drata, Vanta, and Thoropass.

HIPAA

BAA available · production experience

We have built and operated platforms handling PHI under Business Associate Agreements, with PHI scoped to dedicated environments and audited access.

GDPR / UK GDPR / CCPA

DPA available · processor role

We operate as a processor under your direction. Standard Contractual Clauses are in place with all sub-processors handling EEA / UK data.

PCI DSS

Scope-minimized · tokenization first

For engagements touching cardholder data we keep PAN out of our systems entirely, deferring to the payment provider for storage and PCI scope.

— Security highlights

The defaults, codified

Last reviewedMay 16, 2026

Full program → /security

TLS 1.3

In transit, all public endpoints · HSTS preloaded

AES-256

At rest, personal data · managed-key rotation

Hardware MFA

Phishing-resistant authenticators on all critical systems

72-hour

Breach-notification window under GDPR where applicable

<1 day

Acknowledgement target for security@802.software

Annual

Restore exercises for client-platform backups

— Sub-processors

Who we share data with, and why

Last reviewedMay 16, 2026

Vendors who help us run the studio, listed with their role and primary processing region. Engagement-specific sub-processors (e.g. a client’s own AWS account) are documented in your DPA, not here.

Vendor	Role	Region
Vercel	Hosting, edge CDN	US
Cloudflare	DNS, network protection	Global
AWS	Client-platform infrastructure (per engagement)	US / EU
Google Cloud	Client-platform infrastructure (per engagement)	US / EU
Google Workspace	Internal collaboration, document storage	US
GitHub	Source-code hosting, CI	US
Email provider	Transactional + opt-in newsletter delivery	US
Stripe	Invoicing (where used)	US

When we add or change a sub-processor that handles personal data on a client’s behalf, we notify the client per their DPA. The canonical list lives here and in our Privacy Policy.

— Responsible disclosure

Found something? Tell us.

We acknowledge security mail within one business day and operate a documented safe harbor for good-faith research. Full scope, SLAs, and what counts as out-of-scope live on the Security page.

security@802.software →Read full policy

— Direct channels

General & legal: hello@802.software
Privacy requests: hello@802.softwaresubject: “Privacy request”
Security & disclosure: security@802.software
Postal: 802 Software, LLC
180 Market Street
South Burlington, VT 05403
US

— Vendor questionnaire

Running a vendor review?

Send us your SIG-Lite, CAIQ, or homegrown RFP — we’ll return it within five business days. The mail link below opens a draft with the fields we need to start.

Start a questionnaire →Just email us →