SocialHub.AI
Platform · Data Compliance

Meet the standards you’re held to

Audited to SOC 2 Type II and ISO 27001, and engineered to support your GDPR and CCPA/CPRA obligations. Below, each standard is broken down requirement by requirement — and exactly how the platform meets or supports it.

How to read this

Certified where it’s a certification, built to support where it’s a law

SOC 2 and ISO 27001 are certifications we hold and re-earn under audit. GDPR and CCPA are laws — there is no “certificate,” so we give you the capabilities to meet each obligation. You stay the data controller; we’re the processor.

Certification held

SOC 2 Type II

Certification held · independently audited over time

SOC 2 Type II is an independent auditor's report on whether our controls actually operated effectively across a period (not a single point in time), evaluated against the AICPA Trust Services Criteria. SocialHub.AI maintains a Type II attestation; the report is available under NDA.

Security (common criteria)
Role-based access control, Azure AD SSO, multi-factor authentication, network controls and an append-only audit trail of sensitive changes.
Availability
99.9% uptime SLA on Azure infrastructure with monitoring and alerting; capacity and failover engineered in.
Confidentiality
AES-256 encryption at rest, TLS 1.3 in transit, customer-managed keys available, and per-tenant data isolation.
Processing integrity
A governed semantic layer defines each metric once and computes it one way, so figures are consistent and traceable; changes are versioned and audited.
Privacy
Member PII is encrypted with blind-index lookup, consent is versioned, and data minimization is enforced (fields marked sensitive are rejected from where they don't belong).

Type II = tested over a monitoring window, re-earned each cycle. Report and bridge letter available to prospects/customers under NDA.

Certification held

ISO 27001

Certification held · certified information-security management system

ISO/IEC 27001 certifies a working Information Security Management System (ISMS) — documented, risk-driven security controls that are audited on a recurring basis. SocialHub.AI is ISO 27001 certified for the platform.

Access control (A.5/A.8)
Least-privilege RBAC, Azure AD identity, MFA, and periodic access review; tenant scope enforced in the data path.
Cryptography (A.8)
AES-256 at rest, TLS 1.3 in transit, customer-managed keys, and blind-index tokenization for lookups without exposing raw PII.
Operations security & logging (A.8)
Centralized audit logging, monitoring, and change management across the platform.
Supplier / cloud security (A.5)
Built on Microsoft Azure, inheriting Azure's own certifications; sub-processors governed and documented.
Data handling & residency (A.5/A.8)
Per-tenant isolation, configurable data region (US / EU / Asia-Pacific), and scheduled retention.

Certification is scoped to the platform and re-audited on the ISO surveillance cycle.

Built to support

GDPR

Regulation · built to support your obligations (you = controller, we = processor)

GDPR has no “certificate” — compliance is an ongoing obligation that depends on how you configure and use any platform. SocialHub.AI acts as your data processor and gives you the capabilities to meet the core articles. You remain the data controller.

Lawful basis & consent (Art. 6, 7)
A versioned privacy/consent statement, human-approved, with every member's consent bound to the exact version they saw; browser Global Privacy Control honored at capture.
Right of access & portability (Art. 15, 20)
Data-subject access export assembles everything held on a member on request, with the categories it covers made explicit, and a tracked response deadline.
Right to erasure / restriction (Art. 17, 18)
Retention-based anonymization overwrites a member's personal data while keeping non-personal history — an EDPB-recognized route to “erasure by anonymization.” (One-click cryptographic erasure is on the roadmap.)
Data minimization & accuracy (Art. 5)
Fields flagged as personal are kept out of places they don't belong; member records are editable and correctable.
Records of processing (Art. 30)
An auto-drafted Records of Processing Activities (RoPA) register for your DPO/legal to review — purposes, categories, legal basis, recipients and retention.
Security of processing (Art. 32)
AES-256 / TLS 1.3 encryption, RBAC + MFA, tenant isolation, and full audit logging.
International transfers (Art. 44+)
EU data residency — keep member data in an Azure EU region.
Processor obligations (Art. 28)
A Data Processing Agreement is available; Azure is the documented infrastructure sub-processor.

These capabilities support your GDPR programme. They are not legal advice, and compliance depends on your configuration and use.

Built to support

CCPA / CPRA

Regulation · built to support your obligations (we act as service provider)

The CCPA/CPRA grants California consumers specific rights and treats SocialHub.AI as your service provider — we process data only on your instructions. Here's how each consumer right is supported.

Right to know / access
The same data-subject export used for GDPR returns everything held on a consumer, categorized.
Right to delete
Retention-based anonymization removes a consumer's personal data on request or on schedule while preserving aggregate history.
Right to opt out of sale / sharing
Browser Global Privacy Control is honored at the point behavioral data is collected, and opt-out preferences are respected across channels.
Right to correct
Member profile data is editable so inaccurate personal information can be corrected.
Non-discrimination & service-provider role
Data is used only per your instructions under the DPA; the platform doesn't repurpose consumer data.

Supports your CCPA/CPRA obligations; not legal advice. Your configuration and disclosures remain your responsibility.

The controls behind it all

Security by design, not as an add-on

Encryption everywhere

AES-256 at rest, TLS 1.3 in transit, customer-managed keys available. PII is encrypted with blind-index lookup — usable without being exposed.

Access control & audit

RBAC, Azure AD SSO, multi-factor authentication, and an append-only audit trail of sensitive changes.

Data residency

Choose your region — Azure data centers in the US, EU and Asia-Pacific — so data stays where local regulation requires.

Tenant isolation

Each workspace's data is scoped to its own tenant; governed metric/profile access runs read-only against tenant-filtered views.

These capabilities support your compliance programme — they are not legal advice, and your compliance depends on how you configure and use the platform. For certification letters (SOC 2 report, ISO 27001 certificate, DPA) and our full security posture, see Trust & Security.

Bring your auditors. The controls are already here.

400M+
50+
12+