Security Framework

SOC 2-aligned controls and compliant infrastructure

Security Framework Overview

Jaapi AB implements security and operational controls aligned with SOC 2 Trust Service Criteria. We leverage SOC 2 certified infrastructure providers and maintain strict data minimization practices to ensure the security and privacy of customer information.

Infrastructure: SOC 2 Type II certified hosting (Vercel) and database (AWS)
Data Approach: Minimal personal data storage with secure processing
Framework: SOC 2-aligned controls and monitoring
Last Updated: May 24, 2024

Data Minimization & Infrastructure Security

Security Through Minimization

Our security approach is built on the principle of data minimization. We collect and store only the essential data needed to provide our service, significantly reducing the attack surface and compliance scope.

What We Store

  • User accounts and basic profile information
  • Order details and shipping addresses
  • Product preferences and cart data
  • Session and authentication tokens

What We Don't Store

  • Credit card numbers or payment details
  • Social security numbers or government IDs
  • Health information or biometric data
  • Financial account information

SOC 2 Certified Infrastructure

All sensitive data is processed and stored on infrastructure maintained by SOC 2 Type II certified providers, ensuring enterprise-grade security controls without the overhead of managing physical infrastructure.

Vercel (Hosting)SOC 2 Type II certified application hosting and edge computing
AWS (Database)SOC 2 Type II certified managed PostgreSQL with automated backups
Stripe (Payments)PCI DSS Level 1 certified payment processing

PCI Compliance

Payment Card Security

Jaapi does not store credit card information. All payment processing is handled by Stripe.

  • Stripe PCI Level 1: Highest level of payment industry certification
  • No card storage: Card details never touch Jaapi systems
  • Secure tokenization: Only encrypted payment tokens stored

Infrastructure Resilience

High Availability

  • Multi-region deployment: 18 AWS regions
  • Automatic failover: Traffic routing to nearest available edge
  • 99.99% SLA: Vercel serverless uptime guarantee

Data Backup

  • Hourly backups: Automated with no performance impact
  • 30-day retention: All backups persisted
  • Global replication: Disaster-resistant storage

Trust Service Criteria

Security (CC6)

Logical Access Controls

  • Role-based permissions in database
  • UUID-based session management
  • Automatic session expiration
  • Multi-factor authentication support

Network Security

  • HTTPS-only enforcement
  • Content Security Policy headers
  • Vercel WAF protection
  • Password/SSO authentication

Availability (A1)

Infrastructure Reliability

  • Vercel serverless (99.99% SLA)
  • AWS managed PostgreSQL
  • Geographic CDN distribution
  • Automatic failover capabilities

Monitoring & Response

  • Real-time alerts
  • Automated incident detection
  • Performance monitoring
  • Backup and recovery procedures

Processing Integrity (PI1)

Data Validation

  • Zod schema validation on all inputs
  • Database constraints and foreign keys
  • Input sanitization procedures
  • Error handling and logging

Transaction Management

  • Atomic operations with Slonik
  • Audit trail for all changes
  • Timestamped transaction logs
  • Data integrity checks

Confidentiality (C1)

Data Protection

  • TLS 1.3 encryption in transit
  • Database encryption at rest
  • Secure key management
  • Data classification procedures

Access Management

  • Principle of least privilege
  • Regular access reviews
  • Secure development practices
  • Third-party agreements (DPAs)

Privacy (P1-P8)

Privacy Framework

  • GDPR-aligned privacy practices
  • Data subject rights implementation
  • Privacy by design principles
  • Regular privacy assessments

Data Lifecycle Management

  • Data minimization practices
  • Retention policy enforcement
  • Secure data disposal
  • Consent management

System Architecture

Multi-Tenant SaaS Platform

Jaapi operates as a multi-tenant Next.js application serving branded swag stores for business customers. Our architecture emphasizes security through simplicity: minimal data collection, SOC 2 certified infrastructure, and tenant isolation enforced at the data layer.

Application Layer

  • Next.js React framework
  • Serverless deployment
  • API-first architecture
  • TypeScript throughout

Data Layer

  • PostgreSQL database
  • Tenant-based isolation
  • Automated backups
  • Query performance monitoring

Infrastructure

  • Vercel hosting platform
  • AWS database hosting
  • Hetzner CDN services
  • Geographic distribution

Control Environment & Monitoring

Governance

  • Security roles defined
  • Risk assessment procedures
  • Incident response protocols
  • Vendor management program

Technical Controls

  • Automated security scanning
  • Continuous monitoring
  • Change management
  • Backup and recovery testing

Monitoring

  • Performance metrics
  • Failed authentication tracking
  • Configuration change alerts
  • Data access logging

Compliance Contact

Security & Compliance Inquiries

For security framework questions, risk assessments, vendor security questionnaires, or additional security documentation:

lynn@jaapi.store