# Compliance (/security/compliance) StarSling is committed to meeting enterprise security requirements. ## Current Status ### SOC 2 Type II **Status:** In progress We are actively working toward SOC 2 Type II certification. Expected completion: Q2 2026. ### GDPR **Status:** Compliant StarSling processes minimal personal data and complies with GDPR requirements: * Data minimization practiced * Right to deletion supported * Data processing agreement available on request ### HIPAA **Status:** Not certified StarSling is not currently HIPAA compliant. Do not use for workloads involving PHI. ## Security Practices ### Access Control * All employee access requires MFA * Production access limited to on-call engineers * Access logged and audited quarterly ### Infrastructure Security * Cloud infrastructure with security best practices * Regular security patches applied * Network segmentation between environments ### Incident Response * 24/7 on-call rotation * Documented incident response procedures * Customer notification within 24 hours for security incidents ### Vulnerability Management * Regular dependency updates * Automated security scanning in CI * Responsible disclosure program ## Penetration Testing We conduct annual penetration tests with third-party security firms. **Most recent test:** Q4 2024 **Findings:** No critical or high severity findings Reports available under NDA for Enterprise customers. ## Vendor Security ### GitHub We integrate with GitHub's APIs, which maintain: * SOC 1, 2 * ISO 27001 * FedRAMP ## Security Questionnaire For enterprise security reviews, we provide: * CAIQ (Consensus Assessment Initiative Questionnaire) * SIG (Standard Information Gathering) * Custom questionnaire responses Contact [founders@starsling.dev](mailto:founders@starsling.dev) to request security documentation. ## Responsible Disclosure If you discover a security vulnerability, please report it to: **[security@starsling.dev](mailto:security@starsling.dev)** We commit to: * Acknowledging receipt within 24 hours * Providing status updates every 72 hours * Not pursuing legal action for good-faith research ## Enterprise Security Features Available for Enterprise: * Single Sign-On (SSO) via SAML * Audit log export * Custom data retention policies * Dedicated support channel * Security review calls