News

StepSecurity Steps Up the Security Game with SOC 2 Type 2 Compliance

StepSecurity achieves SOC 2 Type 2 compliance, demonstrating our ongoing dedication to the highest security standards and comprehensive protection for our customers' data and systems.

Ashish Kurmi
July 3, 2024

Table of Contents

Table of Contents

We are thrilled to share that StepSecurity has achieved SOC 2 Type 2 compliance certification. This certification recognizes our commitment to providing the highest level of security for our customers' data and systems.  

As a cloud-based security company, we understand the importance of implementing strong security and privacy controls to protect our customers. Achieving SOC 2 Type 2 compliance is a rigorous and comprehensive process that requires organizations to meet strict security and privacy standards. We are proud to say that we have passed this process with flying colors, without any exceptions for mandatory security controls.  

The StepSecurity platform enables several mandatory SOC 2 controls such as dependabot via auto remediation pull requests. We ourselves use the platform to guarantee that all crucial repositories have mandatory security tools enabled. At StepSecurity, security is not an afterthought but a core principle that we incorporate into everything we do. We have always taken a secure-by-default approach to building our services, and we embrace the "assume breach" mindset. We have deployed multiple security controls across our SDLC to provide comprehensive security protection, and we follow the principles of least privilege to ensure that our designs only provide services with the minimal access required to customer code and data.

Public Repositories

The StepSecurity platform does not require any credentials or explicit onboarding before it can analyze public repositories and provide automated security remediations. Harden-Runner also does not require any GitHub privileges to protect CI/CD for public repositories.  

Private Repositories

The StepSecurity Platform supports an outpost deployment, which processes customer code in a customer controller environment without giving StepSecurity access to source code or CI/CD pipeline definitions. Harden-Runner only requires access to build logs, and does not require direct access to proprietary source code or CI/CD pipeline definitions.

We understand the importance of safeguarding our customers' data, and we take all necessary precautions to ensure customer data is secure. If you are an enterprise customer interested in using our services, we are happy to provide you with our SOC 2 Type 2 report upon request.

We are thrilled to share that StepSecurity has achieved SOC 2 Type 2 compliance certification. This certification recognizes our commitment to providing the highest level of security for our customers' data and systems.  

As a cloud-based security company, we understand the importance of implementing strong security and privacy controls to protect our customers. Achieving SOC 2 Type 2 compliance is a rigorous and comprehensive process that requires organizations to meet strict security and privacy standards. We are proud to say that we have passed this process with flying colors, without any exceptions for mandatory security controls.  

The StepSecurity platform enables several mandatory SOC 2 controls such as dependabot via auto remediation pull requests. We ourselves use the platform to guarantee that all crucial repositories have mandatory security tools enabled. At StepSecurity, security is not an afterthought but a core principle that we incorporate into everything we do. We have always taken a secure-by-default approach to building our services, and we embrace the "assume breach" mindset. We have deployed multiple security controls across our SDLC to provide comprehensive security protection, and we follow the principles of least privilege to ensure that our designs only provide services with the minimal access required to customer code and data.

Public Repositories

The StepSecurity platform does not require any credentials or explicit onboarding before it can analyze public repositories and provide automated security remediations. Harden-Runner also does not require any GitHub privileges to protect CI/CD for public repositories.  

Private Repositories

The StepSecurity Platform supports an outpost deployment, which processes customer code in a customer controller environment without giving StepSecurity access to source code or CI/CD pipeline definitions. Harden-Runner only requires access to build logs, and does not require direct access to proprietary source code or CI/CD pipeline definitions.

We understand the importance of safeguarding our customers' data, and we take all necessary precautions to ensure customer data is secure. If you are an enterprise customer interested in using our services, we are happy to provide you with our SOC 2 Type 2 report upon request.