> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bota.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# SOC 2 Compliance

> Bota's SOC 2 Type II certification and security controls

Bota maintains SOC 2 Type II certification, demonstrating our commitment to security, availability, and confidentiality. This page describes our SOC 2 program and how it protects your data.

***

## What is SOC 2?

SOC 2 (System and Organization Controls 2) is a security framework developed by the American Institute of CPAs (AICPA). It defines criteria for managing customer data based on five Trust Service Criteria:

| Criteria                 | Description                                                                      |
| ------------------------ | -------------------------------------------------------------------------------- |
| **Security**             | Protection against unauthorized access                                           |
| **Availability**         | System accessible as agreed                                                      |
| **Processing Integrity** | System processing is complete, accurate, timely                                  |
| **Confidentiality**      | Information designated as confidential is protected                              |
| **Privacy**              | Personal information is collected, used, retained, and disposed of appropriately |

***

## Bota's SOC 2 Certification

### Type II Certification

Bota has achieved **SOC 2 Type II** certification, which means:

* An independent auditor has examined our controls over an extended period (typically 6-12 months)
* Our controls are not just designed appropriately, but operate effectively over time
* We undergo annual re-certification audits

<Card title="Request SOC 2 Report" icon="file-shield" href="mailto:security@bota.dev?subject=SOC%202%20Report%20Request">
  Contact [security@bota.dev](mailto:security@bota.dev) to request our SOC 2 Type II report under NDA
</Card>

### Trust Service Criteria Covered

Our SOC 2 report covers:

| Criteria        | Status  |
| --------------- | ------- |
| Security        | Covered |
| Availability    | Covered |
| Confidentiality | Covered |

***

## Security Controls

### Access Management

| Control                 | Implementation                              |
| ----------------------- | ------------------------------------------- |
| **Identity Management** | SSO with MFA required for all employees     |
| **Least Privilege**     | Role-based access, quarterly access reviews |
| **Privileged Access**   | Just-in-time access for production systems  |
| **Offboarding**         | Automated deprovisioning within 24 hours    |

### Infrastructure Security

| Control                      | Implementation                             |
| ---------------------------- | ------------------------------------------ |
| **Cloud Provider**           | AWS with SOC 2, ISO 27001 certifications   |
| **Network Security**         | VPC isolation, security groups, WAF        |
| **Vulnerability Management** | Automated scanning, 30-day remediation SLA |
| **Penetration Testing**      | Annual third-party pen tests               |

### Data Protection

| Control                   | Implementation                       |
| ------------------------- | ------------------------------------ |
| **Encryption in Transit** | TLS 1.2+ for all connections         |
| **Encryption at Rest**    | AES-256 for all stored data          |
| **Key Management**        | AWS KMS with automatic rotation      |
| **Backup Encryption**     | Encrypted backups with separate keys |

### Monitoring and Logging

| Control           | Implementation                     |
| ----------------- | ---------------------------------- |
| **Audit Logging** | All system and user actions logged |
| **Log Retention** | Minimum 1 year retention           |
| **SIEM**          | Centralized security monitoring    |
| **Alerting**      | 24/7 security event monitoring     |

### Incident Response

| Control           | Implementation                            |
| ----------------- | ----------------------------------------- |
| **Incident Plan** | Documented incident response procedures   |
| **Response Team** | Dedicated security incident response team |
| **Communication** | Customer notification within 24 hours     |
| **Post-Incident** | Root cause analysis and remediation       |

***

## Availability Controls

### Infrastructure Reliability

| Control                 | Implementation                                       |
| ----------------------- | ---------------------------------------------------- |
| **Multi-AZ Deployment** | Services deployed across multiple availability zones |
| **Auto-Scaling**        | Automatic capacity scaling based on demand           |
| **Load Balancing**      | Distributed traffic across healthy instances         |
| **Database Redundancy** | Multi-AZ database with automatic failover            |

### Disaster Recovery

| Control              | Implementation                            |
| -------------------- | ----------------------------------------- |
| **Backup Frequency** | Daily backups with point-in-time recovery |
| **Backup Testing**   | Quarterly restoration testing             |
| **RTO**              | 4-hour recovery time objective            |
| **RPO**              | 1-hour recovery point objective           |

### Uptime

We target 99.9% uptime for the Bota API. Current status is available at [api.bota.dev/health](https://api.bota.dev/health).

***

## Confidentiality Controls

### Data Classification

| Classification   | Description                                | Examples                              |
| ---------------- | ------------------------------------------ | ------------------------------------- |
| **Confidential** | Customer data requiring highest protection | Audio recordings, transcriptions, PHI |
| **Internal**     | Bota operational data                      | System logs, metrics                  |
| **Public**       | Publicly available information             | Documentation, marketing              |

### Data Handling

| Control               | Implementation                                 |
| --------------------- | ---------------------------------------------- |
| **Access Logging**    | All access to confidential data logged         |
| **Data Minimization** | Only collect data necessary for service        |
| **Retention Limits**  | Configurable retention with automatic deletion |
| **Secure Disposal**   | Cryptographic erasure for deleted data         |

### Third-Party Management

| Control                  | Implementation                            |
| ------------------------ | ----------------------------------------- |
| **Vendor Assessment**    | Security review before onboarding vendors |
| **Contractual Controls** | Data protection requirements in contracts |
| **Annual Reviews**       | Ongoing vendor security assessments       |

***

## Compliance Program

### Governance

* **Security Team:** Dedicated security and compliance team
* **Security Officer:** Designated CISO responsible for security program
* **Board Oversight:** Regular security updates to leadership

### Policies

We maintain comprehensive security policies covering:

* Information Security
* Access Control
* Data Classification
* Incident Response
* Business Continuity
* Acceptable Use
* Vendor Management

### Employee Security

| Control                   | Implementation                             |
| ------------------------- | ------------------------------------------ |
| **Background Checks**     | Pre-employment screening for all employees |
| **Security Training**     | Annual security awareness training         |
| **Secure Development**    | OWASP training for engineering team        |
| **Policy Acknowledgment** | Annual policy review and sign-off          |

***

## Requesting Our SOC 2 Report

Our SOC 2 Type II report is available to customers and prospects under NDA.

<Steps>
  <Step title="Submit Request">
    Email [security@bota.dev](mailto:security@bota.dev) with your company name and use case
  </Step>

  <Step title="Sign NDA">
    We'll send a mutual NDA for signature
  </Step>

  <Step title="Receive Report">
    Once the NDA is executed, we'll share the full SOC 2 report
  </Step>
</Steps>

The report includes:

* Independent auditor's opinion
* Description of Bota's systems
* Trust Service Criteria tested
* Control activities and test results
* Management's assertion

***

## Other Certifications

| Certification     | Status    | Details                                    |
| ----------------- | --------- | ------------------------------------------ |
| **SOC 2 Type II** | Certified | Annual audit                               |
| **HIPAA**         | Compliant | BAA available ([Learn more](/legal/hipaa)) |
| **GDPR**          | Compliant | EU data protection                         |

***

## Frequently Asked Questions

<AccordionGroup>
  <Accordion title="What's the difference between SOC 2 Type I and Type II?">
    Type I examines controls at a point in time. Type II examines controls over a period (typically 6-12 months), providing assurance that controls operate effectively. Bota has Type II certification.
  </Accordion>

  <Accordion title="How often is Bota audited?">
    We undergo annual SOC 2 Type II audits. Our audit period typically runs from January to December, with reports issued in Q1 of the following year.
  </Accordion>

  <Accordion title="Can I share the SOC 2 report with my auditors?">
    Yes, you may share our SOC 2 report with your external auditors under the terms of the NDA. Please do not share it publicly.
  </Accordion>

  <Accordion title="Do you have a SOC 2 bridge letter?">
    If our current report doesn't cover your audit period, we can provide a bridge letter confirming no material changes since the last audit. Contact [security@bota.dev](mailto:security@bota.dev).
  </Accordion>

  <Accordion title="What about SOC 1?">
    SOC 1 focuses on financial reporting controls. As Bota does not process financial transactions, SOC 2 is the appropriate standard for our services.
  </Accordion>
</AccordionGroup>

***

## Contact

For SOC 2 and security questions:

**Email:** [security@bota.dev](mailto:security@bota.dev)
**Subject:** SOC 2 Inquiry

***

*Last updated: January 15, 2025*
