Skip to main content
Driftstack DRIFTSTACK
Start

Trust center · Compliance

Compliance posture & disclosure

Where we are today, where we're going, and how to engage the platform if you've found a vulnerability or need pen-test evidence for a security review.

Certifications & attestations

We list certifications that are either in place or actively in progress. We don't list certifications we have no plans to pursue — silence on a certification means "not on the current roadmap", not "not applicable".

Standard Status Expected
GDPR Article 28
DPA with SCCs ready to sign 		In place Today — see /legal/dpa
SOC 2 Type I
Trust Services Criteria (security) 		In progress Q3 2026 (audit window)
SOC 2 Type II
After 6-month observation window 		Planned Q1 2027
Independent pen-test
Annual external assessment 		Scheduled First engagement Q3 2026

Pen-test report access

The most recent pen-test executive summary is publicly downloadable below. The full report — with remediation status per finding and unredacted methodology — is available under NDA to prospective customers under active security review.

Public summary

Executive summary (PDF)

Findings count by severity, remediation status, scope of the engagement. No sensitive technical detail.

Available after first engagement (Q3 2026)

Full report (NDA-gated)

Request under NDA

Email [email protected] with your company name and use case. We respond within one business day with the NDA. Approved requests receive a 7-day signed download URL.

Vulnerability disclosure policy

Found a security issue? Please report it privately. We triage every disclosure within one business day and update you through to resolution.

Where to report
[email protected]. Use PGP if your finding involves customer data exposure (key fingerprint published on this page once available).
What we commit to
  • Acknowledge receipt within 2 business days.
  • Triage + initial severity within 5 business days.
  • Status updates at least every 14 days until resolution.
  • Coordinated disclosure window: 90 days from report, extendable on mutual agreement.
  • Public credit on this page (with reporter consent) once the finding is remediated.
Safe-harbour
We won't pursue legal action against good-faith security research on the platform's public surface (api.driftstack.dev, driftstack.dev, app.driftstack.dev) provided you:
  • Don't access, modify, or exfiltrate other customers' data.
  • Don't degrade service availability (no load tests against prod).
  • Report findings privately before public disclosure.

Sub-processor change SLA

Per GDPR Article 28(2) and DPA Annex 3, we provide 30 calendar days' notice for any material change to the sub-processor list (additions or replacements). Customers can object via email to [email protected] during the notice window.

The live list is published at /trust/sub-processors and material changes are emitted as an RSS feed (subscribe from the same page when V-550.A lands).

Audit log retention

Per ADR-006:

  • Customer-facing audit log — retained per the customer's tier (see /docs/audit-log), surfaced via the dashboard + GET /v1/account/audit-log. Includes every action the customer's account took (API key mints, profile creates, billing changes).
  • Admin audit log — internal-only retention of 365 days for every privileged admin action. Customer access requires legal process or explicit customer consent.
  • Access logs — 90 days hot, 1 year cold for forensic timeline reconstruction. Read-restricted to the on-call engineer + compliance lead.