Effective Date: February 12, 2026 · Last Updated: February 12, 2026
1. Overview
IAMVC Holdings, LLC ("Company") is committed to maintaining the highest standards of security, availability, and data protection for ProxyStack and SentinelAI. This document outlines our compliance posture against the SOC 2 Type II Trust Service Criteria defined by the American Institute of Certified Public Accountants (AICPA).
SOC 2 Type II evaluates the design and operating effectiveness of controls over a period of time. This documentation covers our policies, implemented controls, and evidence mapping across all five Trust Service Criteria.
2. Trust Service Criteria
Our compliance program addresses all five AICPA Trust Service Criteria:
🔒
Security (CC)
Protection against unauthorized access, both physical and logical. Includes firewalls, access controls, encryption, and intrusion detection.
✅
Availability (A)
Systems are operational and usable as committed. Includes uptime monitoring, disaster recovery, and incident response.
⚙️
Processing Integrity (PI)
System processing is complete, valid, accurate, and timely. Includes input validation, error handling, and data quality checks.
🔐
Confidentiality (C)
Information designated as confidential is protected. Includes encryption at rest and in transit, access restrictions, and data classification.
🛡️
Privacy (P)
Personal information is collected, used, retained, and disclosed in conformity with our privacy commitments. See our Privacy Policy.
3. Security Controls (CC Series)
CC1 — Control Environment
CC1.1 — Organizational Commitment to Security
IAMVC Holdings maintains a security-first culture. All development follows secure coding practices, code review, and automated testing.
Evidence: Code signing certificate, .NET obfuscation (Obfuscar), HMAC-signed license keys, build pipeline with integrity checks
CC1.2 — Board/Management Oversight
Security policies are reviewed and approved by company leadership. Compliance reports are generated and reviewed regularly.
Evidence: ComplianceView.cs — SOC2 (9 checks), GDPR (6), PCI-DSS (8), HIPAA (5) automated compliance reporting
CC1.3 — Personnel Security
Access to production systems is restricted to authorized personnel. Admin access requires multi-factor authentication via admin API key and is_admin role flag.
Evidence: require_admin() dual-auth (x-api-key + Bearer token with is_admin), ADMIN_EMAILS whitelist auto-seeded
CC2 — Communication & Information
CC2.1 — Security Policies Communicated
Security policies are documented and accessible. Customers are informed of their responsibilities via Terms of Service, Privacy Policy, and EULA.
Evidence: tos.html, privacy.html, eula.html, sla.html, refund.html — all publicly accessible
CC2.2 — Incident Communication
Security incidents are communicated to affected parties within 72 hours. Status updates provided via email and support portal.
Evidence: Support ticket system (support.html), enterprise email (enterprise@iamvcholdings.com), Discord community
CC3 — Risk Assessment
CC3.1 — Risk Identification
Regular security scanning identifies vulnerabilities. OWASP Top 10 compliance is continuously monitored.
Evidence: SecurityScannerView.cs — Quick (11 checks) + Full (18 checks), OWASP compliance dashboard with scoring
CC3.2 — Vulnerability Management
All binaries are scanned via VirusTotal before release. Dependencies are monitored for known vulnerabilities.
Evidence: virustotal-scan.ps1, VT results published on website (EXE 0/72, DLL 1/72, Updater 0/66)
CC4 — Monitoring Activities
CC4.1 — Continuous Monitoring
System health, performance, and security events are monitored in real-time via the monitoring dashboard and telemetry system.
Evidence: MonitoringView.cs (CPU/RAM/Disk), TelemetryService.cs, /api/telemetry endpoints, /api/health
CC4.2 — Error Reporting
Application errors are automatically captured and reported to the backend for analysis and resolution.
Evidence: ErrorReport model, POST /api/errors/report, global exception handlers in Program.cs
CC5 — Control Activities
CC5.1 — Access Control
Role-based access control (RBAC) with four roles: Admin, Developer, Operator, Viewer. Feature gating enforces tier-based access (Community/Pro/Enterprise).
Evidence: FeatureGate.cs, Team RBAC (team.json), is_admin flag, license tier enforcement
CC5.2 — Authentication
Custom HMAC-signed tokens with 30-day expiry. Passwords hashed with bcrypt. Admin endpoints require dual authentication (API key or admin Bearer token).
Evidence: _create_token/_decode_token in main.py, bcrypt hashing, require_admin() dependency
CC5.3 — Encryption
TLS 1.2+ enforced for all communications. Secrets encrypted at rest with DPAPI. License keys are HMAC-signed to prevent forgery.
Evidence: Nginx/Apache TLS config, SecretsVaultView.cs (DPAPI), verify_key_signature() in main.py
CC6 — Logical & Physical Access
CC6.1 — Logical Access Security
API endpoints are protected with authentication. Admin endpoints require elevated privileges. Rate limiting prevents abuse (60 req/min).
Evidence: API key auth, Bearer token auth, rate limiting middleware, IP allow/deny lists
CC6.2 — Network Security
Web Application Firewall (WAF) with 12 built-in rules. Zero Trust security with mTLS. IP reputation checking and geo-blocking.
Evidence: WafView.cs (12 rules, 3 modes), ZeroTrustView.cs (mTLS, cert auth), SecurityView.cs (IP lists, geo-blocking)
CC6.3 — Hardware ID Binding
License keys are bound to specific hardware IDs (HWID) to prevent unauthorized redistribution. Grace period allows for hardware changes.
Evidence: LicenseService.cs — WMI-based HWID (Win32_Processor + Win32_DiskDrive), 30-day grace period
CC7 — System Operations
CC7.1 — Change Management
All releases go through a defined build pipeline: compile, obfuscate, sign, scan, stage, package. Version control tracks all changes.
Evidence: build-release.ps1, Obfuscar obfuscation, Authenticode signing, VirusTotal scanning, SHA256 checksums
CC7.2 — Incident Response
Support ticket system with priority levels (Low/Medium/High/Critical). Enterprise SLA guarantees 4-hour response time for critical issues.
Evidence: SupportTicket model, admin ticket management, SLA tiers (Community 48h, Pro 24h, Enterprise 4h)
CC7.3 — Backup & Recovery
Automated backup system with configurable schedule and retention. Restore from backup with one click. Config preserved during updates.
Evidence: AdvancedView.cs backup/restore, PreserveList in updater, proxystack.json + secrets.vault preserved
CC8 — Change Management
CC8.1 — Software Development Lifecycle
Secure SDLC with code review, automated testing, obfuscation, and code signing. All releases are versioned and documented in CHANGELOG.md.
Evidence: CHANGELOG.md, roadmap.md, build pipeline, .NET 8 with latest security patches
CC9 — Risk Mitigation
CC9.1 — Third-Party Risk
Third-party integrations (Stripe, SMTP) use secure APIs with encrypted credentials. Stripe webhook signatures are verified. No customer payment data is stored locally.
Evidence: Stripe webhook signature verification, SMTP via TLS, no PAN/CVV storage
4. Availability Controls (A Series)
| Control | Description | Status |
|---|
| A1.1 |
Uptime monitoring with health check endpoints and service status dashboard |
Implemented |
| A1.2 |
SLA commitments: 99.5% uptime (Pro), 99.9% uptime (Enterprise) with service credits |
Implemented |
| A1.3 |
Auto-restart for managed services (Apache, Nginx, apps) on failure detection |
Implemented |
| A1.4 |
Disaster recovery via automated backups with configurable retention |
Implemented |
| A1.5 |
Multi-node cluster with health checks and automatic config sync (Enterprise) |
Implemented |
5. Processing Integrity Controls (PI Series)
| Control | Description | Status |
|---|
| PI1.1 |
Input validation on all API endpoints (Pydantic models, email validation, length limits) |
Implemented |
| PI1.2 |
License key integrity via HMAC signatures — forged keys rejected before database lookup |
Implemented |
| PI1.3 |
Stripe webhook signature verification prevents tampered payment events |
Implemented |
| PI1.4 |
Token transaction integrity — all earn/spend operations logged with type, amount, reason, timestamp |
Implemented |
| PI1.5 |
Config validation before applying — Nginx/Apache config tested before reload |
Implemented |
6. Confidentiality Controls (C Series)
| Control | Description | Status |
|---|
| C1.1 |
TLS 1.2+ enforced for all client-server communications (HTTPS redirect, HSTS) |
Implemented |
| C1.2 |
Secrets encrypted at rest using Windows DPAPI (secrets.vault) |
Implemented |
| C1.3 |
Database credentials stored in .env file (not committed to version control) |
Implemented |
| C1.4 |
Password hashing with bcrypt (salt + hash, no reversible encryption) |
Implemented |
| C1.5 |
.NET binary obfuscation (Obfuscar) protects intellectual property in distributed software |
Implemented |
| C1.6 |
mTLS / Zero Trust security for enterprise deployments requiring mutual certificate authentication |
Implemented |
7. Privacy Controls (P Series)
| Control | Description | Status |
|---|
| P1.1 |
Privacy Policy published and accessible (privacy.html) |
Implemented |
| P1.2 |
Data minimization — only essential data collected (email, name, license key, HWID) |
Implemented |
| P1.3 |
Newsletter opt-in/opt-out — explicit subscribe with one-click unsubscribe |
Implemented |
| P1.4 |
No payment card data stored — all payment processing handled by Stripe (PCI DSS Level 1) |
Implemented |
| P1.5 |
GDPR compliance checks automated in ComplianceView (6 GDPR-specific controls) |
Implemented |
8. Compliance Summary
| Trust Service Criteria | Controls | Implemented | Status |
|---|
| Security (CC) |
15 controls |
15 / 15 |
Complete |
| Availability (A) |
5 controls |
5 / 5 |
Complete |
| Processing Integrity (PI) |
5 controls |
5 / 5 |
Complete |
| Confidentiality (C) |
6 controls |
6 / 6 |
Complete |
| Privacy (P) |
5 controls |
5 / 5 |
Complete |
| Total |
36 controls |
36 / 36 |
All Implemented |
9. Audit & Certification
IAMVC Holdings, LLC is committed to obtaining formal SOC 2 Type II certification from an accredited CPA firm. Our current compliance posture is based on self-assessment against the AICPA Trust Service Criteria.
Audit Timeline
- Q1 2026: Internal controls documentation complete (this document)
- Q2 2026: Engage independent auditor for readiness assessment
- Q3-Q4 2026: Type II observation period (6-12 months)
- Q1 2027: SOC 2 Type II report issued
Requesting Compliance Documentation
Enterprise customers may request detailed compliance documentation, penetration test results, and security questionnaire responses by contacting enterprise@iamvcholdings.com.
Need Enterprise Compliance Support?
Our team can provide custom security questionnaire responses, penetration test results, and detailed architecture documentation for your procurement process.
Contact Enterprise Sales