Security & Compliance Posture
65 controls implemented across 10 categories. Zero data egress. Append-only audit trail. Per-agent mTLS.
84%
SOC 2 controls implemented
0
Rows ever exposed
130+
Audit event types
24h
mTLS cert rotation cycle
65 Controls Across 10 Categories
Every control is enforced in application code, database procedures, or infrastructure configuration — not just policy documents.
Authentication & Session Management
17/17- MFA (TOTP) with mandatory enforcement for paid admins
- 12-char password policy with complexity + 90-day rotation
- Progressive lockout (5 → permanent)
- 30-min idle timeout, single-use refresh rotation
Access Control & Provisioning
6/6- RBAC: Viewer, Developer, Operator, Admin (30+ capabilities)
- Feature gating per license tier
- Daily automated access review
- Access attestation report per tenant
Access Removal & Offboarding
6/6- User suspension revokes all sessions immediately
- Security audit event on every deactivation
- License revocation with reason tracking
- Agent decommissioning via state machine
Encryption & Key Management
7/9- TLS 1.2+ enforced, mTLS per agent
- AES-256-GCM token encryption
- 3-tier PKI (Root CA → Intermediate → Agent)
- AWS Secrets Manager (30+ secrets)
Data Transmission & Boundaries
3/3- Zero data egress — data never leaves your VPC
- Metadata only: column names, row counts, schema shapes
- PII detection via SQL push-down (aggregates only)
Monitoring & Audit
9/10- Append-only audit log (130+ event types, immutable)
- Hourly/daily/weekly pre-computed summaries
- Correlation IDs across all requests
- Platform staff changes logged via database trigger
Vulnerability Management
4/7- Security headers (CSP, X-Frame-Options, HSTS)
- Dependency scanning on every code change
- Static analysis (SAST) on every code change
- CORS hardening with explicit origin allowlist
Change Management
6/6- Git version control with mandatory code review
- CI: syntax, tests, security scan, Docker build
- Incremental deployment with git-SHA tracking
- Environment promotion gates (DEV → INT → PRD)
Availability
4/7- Auto-scaling database (Aurora Serverless)
- Multi-AZ deployment
- 7-day automated backups
- Health check endpoints
Data Retention & Privacy
3/6- 365-day audit summaries, 30-day detail logs
- Automated policy-driven data purge
- TTL enforcement on all temporary tokens
Zero Data Egress Architecture
Your data never leaves your environment. The agent runs inside your database. The Command Center sees metadata only.
Flows to Command Center
- Column names and schema metadata
- Row counts and aggregate statistics
- Validation and certification results
- Execution status and health signals
- Profiling metrics (counts, %, min/max)
Never Leaves Your Environment
- Raw row data
- Database credentials and passwords
- PII content (only match counts returned)
- Query results and business data
- Connection strings or secrets
Compliance Framework Alignment
SOC 2 Type II
Controls implemented, audit planned
62 of 76 Trust Service Criteria controls in place. BoltPipeline is not yet SOC 2 certified. Formal audit engagement planned.
ISO 27001
Controls aligned
Annex A controls mapped (authentication, logging, cryptography, access control). Not certified.
GDPR
Architecturally aligned
Zero data egress satisfies data residency. Article 30 (processing records), Article 32 (processing security) addressed.
OWASP Top 10 (2021)
6 of 10 addressed
Broken access, crypto failures, injection, misconfig, auth failures, logging.
Shared Responsibility Model
Clear boundaries between what BoltPipeline manages and what stays in your control.
| Area | BoltPipeline | Customer |
|---|---|---|
| Command Center security | — | |
| Agent software updates | Provides | Deploys |
| Database credentials | Never sees | |
| Network access (firewall, VPC) | — | |
| Data classification & ownership | — | |
| Audit log retention | 365 days included | — |
| User access management | RBAC framework | Assigns roles |
| Incident response (CC) | Notified | |
| Incident response (customer DB) | — |
Compliance Status Disclosure
BoltPipeline has implemented security controls aligned to the SOC 2 Trust Service Criteria, ISO 27001, GDPR, and OWASP Top 10 frameworks. BoltPipeline is not currently SOC 2 certified, ISO 27001 certified, or independently audited. The controls described on this page reflect our current implementation and are subject to change. A formal SOC 2 Type II audit engagement is planned. Upon completion, the audit report will be available under NDA. This page does not constitute a legal guarantee of compliance with any regulatory framework.
Request Detailed Documentation
Security questionnaires, control mappings, and audit evidence are available under NDA as part of procurement reviews.
SOC 2 Type II report available upon request once observation period completes.