Legal
SOC 2 Type IISecurity
Your security is our top priority. We implement enterprise-grade security controls to protect your data.
Last updated December 20, 2025
Security Overview
Defense in depth approach
At Heightss, security is not an afterthought—it's foundational to everything we build. We have designed our platform following the principle of defense in depth, implementing multiple layers of security controls to protect your financial data and personal information.
Our security program is built on the SOC 2 Trust Service Criteria:
- Security: Protection against unauthorized access through robust access controls, encryption, and monitoring
- Availability: System uptime commitments with disaster recovery and business continuity planning
- Processing Integrity: Ensuring data is processed completely, accurately, and in a timely manner
- Confidentiality: Protection of sensitive information through encryption and access controls
- Privacy: Collection, use, retention, and disposal of personal information in accordance with our commitments
SOC 2 Compliance
Independently audited controls
Independently Audited
Heightss has implemented controls aligned with the AICPA SOC 2 framework. Our security controls are designed to meet or exceed the requirements for:
Security Controls
Logical access, network security, change management, risk assessment
Availability Controls
System monitoring, disaster recovery, incident response, backup procedures
Confidentiality Controls
Data classification, encryption, secure disposal, access restrictions
Privacy Controls
Notice, consent, collection limitation, data quality, retention
For enterprise customers requiring SOC 2 reports, please contact security@heightss.com.
Encryption
AES-256 & TLS 1.3
Data in Transit:
- All connections use TLS 1.3 with strong cipher suites
- HSTS (HTTP Strict Transport Security) enforced with 1-year max-age
- Certificate pinning for mobile applications
- Perfect Forward Secrecy (PFS) enabled
Data at Rest:
- AES-256 encryption for all sensitive data
- Database-level encryption with customer-managed keys option
- OAuth tokens encrypted with unique per-user keys
- Backups encrypted using separate encryption keys
Key Management:
- Hardware Security Modules (HSM) for master key storage
- Automatic key rotation every 90 days
- Separation of duties for key access
- Key access audited and logged
Access Control
RBAC & MFA
User Authentication:
- OAuth 2.0 with PKCE for secure authentication flows
- Multi-Factor Authentication (MFA) available for all accounts
- Session timeout after 24 hours of inactivity
- Secure password requirements (minimum 12 characters, complexity rules)
- Account lockout after 5 failed login attempts
Internal Access (Principle of Least Privilege):
- Role-Based Access Control (RBAC) for all systems
- Just-in-time access provisioning for production systems
- Quarterly access reviews and recertification
- Immediate access revocation upon employee departure
- All privileged access requires MFA and is logged
API Security:
- API keys with scoped permissions
- Rate limiting to prevent abuse
- Request signing for sensitive operations
- IP allowlisting available for enterprise accounts
Infrastructure
Multi-region, SOC 2 certified cloud
Cloud Infrastructure:
- Hosted on SOC 2 Type II certified cloud providers
- Multi-region deployment for high availability
- Virtual Private Cloud (VPC) with network segmentation
- DDoS protection and Web Application Firewall (WAF)
Network Security:
- Network segmentation between application tiers
- Intrusion Detection and Prevention Systems (IDS/IPS)
- Firewall rules reviewed and updated quarterly
- No direct internet access for database servers
Container Security:
- Immutable container images with vulnerability scanning
- Runtime security monitoring
- Secrets management via dedicated vault services
- Regular base image updates
Monitoring & Logging
24/7 security monitoring
Security Monitoring:
- 24/7/365 security monitoring and alerting
- Security Information and Event Management (SIEM)
- Anomaly detection for suspicious activities
- Real-time alerting for security events
Audit Logging:
- All user actions logged with timestamps
- Administrative actions logged and reviewed
- API access logged with request details
- Logs retained for minimum 1 year
- Tamper-evident log storage
Performance Monitoring:
- Real-time application performance monitoring
- Database query performance tracking
- Error tracking and alerting
- Uptime monitoring with public status page
Incident Response
72-hour breach notification
We maintain a comprehensive incident response program:
Response Process:
- Detection: Automated monitoring and alerting systems
- Containment: Immediate actions to limit impact
- Investigation: Root cause analysis and evidence preservation
- Remediation: Fix vulnerabilities and restore services
- Communication: Notify affected parties as required
- Post-Incident Review: Lessons learned and process improvements
Data Breach Notification:
- Affected users notified within 72 hours of confirmed breach
- Notification includes: nature of breach, data affected, remediation steps
- Regulatory authorities notified as required by applicable law
- Post-incident report provided upon request
Contact for Security Issues: Report security vulnerabilities to security@heightss.com
Business Continuity
99.9% uptime SLA
Availability Commitment:
- 99.9% uptime SLA for production services
- Planned maintenance windows communicated 48 hours in advance
- Public status page at status.heightss.com
Backup & Recovery:
- Automated daily backups with point-in-time recovery
- Backups stored in geographically separate region
- Recovery Point Objective (RPO): 1 hour
- Recovery Time Objective (RTO): 4 hours
- Backup restoration tested quarterly
Disaster Recovery:
- Multi-region failover capability
- Disaster recovery plan tested annually
- Documented runbooks for common failure scenarios
- On-call engineering team 24/7
Vendor Management
Vetted subprocessors
We carefully select and monitor all third-party vendors:
Vendor Assessment:
- Security questionnaire and due diligence before onboarding
- SOC 2 report review for critical vendors
- Data Processing Agreements (DPA) with all processors
- Annual vendor security reviews
Current Subprocessors:
| Vendor | Purpose | Location |
|---|---|---|
| Google Cloud | Authentication (OAuth) | USA |
| WorkOS | Authentication Infrastructure | USA |
| Anthropic | AI Processing | USA |
| Sentry | Error Monitoring | USA |
| Civo Cloud | Database Hosting | UK |
Complete subprocessor list available upon request.
Employee Security
Background checks & training
Hiring & Onboarding:
- Background checks for all employees with system access
- Confidentiality agreements signed before access granted
- Security training completed within first week
Security Training:
- Annual security awareness training for all employees
- Phishing simulation exercises quarterly
- Role-specific security training for developers
- Secure coding training for engineering team
Offboarding:
- Access revoked within 24 hours of departure
- Device collection and secure wipe
- Access audit upon departure
Security Testing
Annual pentests & SAST/DAST
Vulnerability Management:
- Automated vulnerability scanning weekly
- Dependency scanning in CI/CD pipeline
- Critical vulnerabilities patched within 24 hours
- High vulnerabilities patched within 7 days
Penetration Testing:
- Annual third-party penetration testing
- Additional testing after significant changes
- Findings remediated and verified
- Executive summary available for enterprise customers
Secure Development:
- Security requirements in design phase
- Code review required for all changes
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
Compliance & Audits
SOC 2, GDPR, IT Act 2000
Current Compliance:
- SOC 2 Type II: Controls aligned with AICPA Trust Service Criteria
- GDPR: Compliant with EU General Data Protection Regulation
- Google API Services User Data Policy: Full compliance including Limited Use requirements
- IT Act 2000 (India): Compliant with Indian data protection regulations
Audit Rights:
Enterprise customers may request:
- SOC 2 Type II report
- Penetration test executive summary
- Security questionnaire responses
- Data Processing Agreement (DPA)
Contact security@heightss.com for compliance documentation.
Responsible Disclosure
Security researcher guidelines
We welcome security researchers to help us keep Heightss secure:
Scope:
- heightss.com and *.heightss.com
- API endpoints at api.heightss.com
- Mobile applications (when released)
Out of Scope:
- Denial of service attacks
- Social engineering of employees
- Physical security testing
- Third-party services
How to Report:
- Email: security@heightss.com
- Include: Description, steps to reproduce, impact assessment
- Response within 48 hours
- Safe harbor for good-faith security research
Contact
Get in touch with security team
For security-related inquiries, vulnerability reports, or compliance documentation requests:
Security Team: security@heightss.com
Privacy Team: privacy@heightss.com
General Inquiries: heightss@heightss.com