Menu
If you email us supporting documents (org chart, vendor list, architecture sketch), we delete them 30 days after we deliver your package. Your form answers are kept for 12 months, then anonymized. Transaction records are retained as long as legally required.
What "your data" means in this policy
We split your data into three buckets, each with a different retention rule:
| Bucket | Examples | Where stored | Retention |
|---|---|---|---|
| Supporting documents (if emailed to us) | Org chart, vendor list, architecture sketch | Secure storage (encrypted) | 30 days after package delivery, then deleted |
| Form answers | Your responses to the intake questions | Neon Postgres | 12 months after package delivery, then anonymized (email and company name removed) |
| Your package copy | The archive we emailed to you | Your inbox | Keep your own copy; we can attempt re-generation from saved form answers within 12 months on request |
What you can do
Request deletion of your supporting documents early
If you emailed us supporting documents and want them deleted sooner, email hello@soc2auditors.org from the address you used at checkout. We will confirm deletion within 7 days.
Request re-delivery of your package
We email you the package as an attachment at delivery. Please keep your copy. If you need it re-sent, email us within 12 months of purchase and we will attempt to re-generate from your saved form answers. After 12 months the form answers are anonymized and re-generation may not be possible.
Delete everything now
Email hello@soc2auditors.org from the email address you used at checkout. We will delete:
- All supporting documents you emailed us within 7 days
- Your form answers from Postgres within 7 days
- Your email and company from our customer database within 30 days (we keep refund and Stripe records longer for accounting and tax)
We will email you a confirmation once each step is done.
What we keep regardless
We retain the following indefinitely (or until legally required to delete sooner) because we need them for tax, accounting, fraud prevention, or legal defense:
- Stripe transaction records (payment ID, amount, date, last 4 digits of card)
- Invoice and refund history
- A hash of your submission, separated from any identifying data, kept for 24 months as part of our regression-testing dataset. The hash is not reversible to your content.
Subprocessors
| Vendor | What they hold | Where |
|---|---|---|
| Neon | Form answers, customer records | US (Neon default region) |
| Stripe | Payment data | US |
| Plunk | Email send records | EU or US, depending on Plunk plan |
| Document-processing provider | Form answers and supporting document contents briefly while preparing your package | United States |
We will notify customers via email at least 30 days before adding a new subprocessor that holds your form answers or supporting documents.
Security posture
- All data stored encrypted at rest (AES-256 or equivalent).
- All transit encrypted (TLS 1.2+).
- Access to production databases is restricted to founder and named contractors with MFA.
- We will not claim SOC 2 attestation until a licensed CPA firm has completed that engagement on our behalf.
Data deletion guarantees we cannot make
- We cannot delete copies of your data that you sent to your auditor or customer through soc2zip-generated emails. Those are out of our control once sent.
- We cannot delete copies that exist in our backup snapshots until the snapshot rotates out (rotation happens within 7 days for database backups). Deletion requests are honored at the live-data layer immediately and at the backup layer on rotation.
Contact
hello@soc2auditors.org: respond within 5 business days.