System and Organization Control 2 Type 2 (SOC 2) is a compliance framework developed by the American Institute of Certified Public Accountants (AICPA) that focuses on how an organization's services remain secure and protect customer data. The framework contains 5 Trust Services Categories (TSCs), which contain criteria to evaluate the controls and service commitments of an organization.
PostHog is certified as SOC 2 Type II compliant, following an external audit.
Our latest security report is publicly available (covering controls as of May 31st, 2024). Our bridge letter is also available until we receive our next report.
Policies
We have a number of policies in place to support SOC 2 compliance. All team members have been invited to Drata to review these and to complete security training and background checks as part of onboarding.
All of these policies are available for viewing upon request:
- Acceptable Use Policy
- Application Logging & Monitoring Policy
- Asset Management Policy
- Backup Policy
- Breach Notification Policy
- Business Associate Policy
- Business Continuity Plan
- Code of Conduct
- Data Classification Policy
- Data Deletion Policy
- Data Protection Policy
- Disaster Recovery Plan
- Encryption Policy
- Incident Response Plan
- Information Security Policy
- Password Policy
- Physical Security Policy
- Privacy, Use, and Disclosure Policy
- Responsible Disclosure Policy
- Risk Assessment Policy
- Software Development Lifecycle Policy
- System Access Control Policy
- Vendor Management Policy
- Vulnerability Management Policy