Security is operational, not marketing.
The practices, certifications, and controls that keep your data and your team protected. Trust Center available on request.
Four foundations.
SOC 2 Type II
Audited annually. Reports available under NDA via our Trust Center.
Encrypted in transit & at rest
TLS 1.2+ everywhere; AES-256 at rest. Customer-managed keys on Enterprise.
Verified identities
Every placed engineer is identity-verified against government ID and re-verified annually.
Least-privilege access
Role-based access controls, SSO/SAML on Enterprise, full audit trails on every action.
When something goes wrong.
Detect
24/7 SIEM with automated alerting on anomalous access patterns. Median time-to-detect is under 5 minutes.
Triage
On-call security engineer assesses scope and severity within 15 minutes of detection. Customer impact mapped immediately.
Notify
Affected customers notified within 72 hours of confirmation, with scope, timeline, and remediation steps.
Post-mortem
Public, written post-mortem within 14 days of resolution. Permanent fixes tracked to completion.
The vendors we depend on.
Reviewed annually. Full list with DPAs available on request.
Compliance
SOC 2 Type II annually. GDPR and CCPA compliant. ISO 27001 in progress for 2026. DPA available for every customer.
Infrastructure
Hosted on AWS in us-east, eu-west, and ap-southeast. Multi-AZ deployments with daily encrypted backups and tested restore procedures.
Application security
Static and dynamic analysis on every pull request. Penetration tests twice yearly by an independent third party. Bug bounty program at security.heystaff.com.
People security
Background-checked staff, mandatory MFA, short-lived credentials, hardware keys on all production access.
Incident response
24/7 on-call rotation. Customer notification within 72 hours of any confirmed incident affecting your data.
Reporting a vulnerability
Responsible disclosure to security@heystaff.com. We acknowledge within 24 hours and award bounties for qualifying reports.
Request our Trust Center
SOC 2 Type II report, DPA, sub-processor list, and pen-test summaries — under NDA.
Security questions.
Is Heystaff SOC 2 Type II certified?
+
Yes — audited annually by an independent CPA firm. Reports available under mutual NDA via our Trust Center.
Where is customer data stored?
+
AWS us-east, eu-west, and ap-southeast. Customers can pin data residency to a single region on Enterprise.
Do you support SSO and SCIM?
+
Yes — Google, Microsoft, and Okta SSO on every plan. SAML and SCIM provisioning are included with Enterprise.
How do you handle vulnerability disclosure?
+
Responsible disclosure to security@heystaff.com. Acknowledged within 24 hours; qualifying reports earn bounties.
Ready to meet your next engineer?
30-minute calibration call. No commitment, no sales theater.