SOC 2 status

Short version: Ochre is not SOC 2 certified, and we are not currently in a SOC 2 audit. We will not put a fake badge on the marketing site, and we will not pretend an audit is in flight when it is not.

Where we actually are

SOC 2 is on the roadmap. We will pursue it once the customer base justifies the audit cost (auditors, time-in-observation, dedicated compliance work). That has not happened yet, and a misleading "audit in progress" claim does no one any favours.

If your procurement process has a hard requirement that vendors be SOC 2 certified at signing, we will be honest: today, we do not meet that bar. Many security teams will accept compensating evidence for a fast-moving startup. The list below is what we can share.

What we already do

A SOC 2 report is a paper artifact. The controls behind it are what actually protect your data. Ochre has the foundational controls in place independent of any audit:

• Tenant isolation with Postgres row-level security. See How workspace isolation works.
• Encryption at rest via Supabase and AWS (AES-256 at the volume layer). Encryption in transit with TLS 1.3. See Where Ochre stores your data.
• BYOK key encryption with a dedicated OCHRE_BYOK_ENC_KEY, separate from the database service role. Customers can rotate by re-pasting the key in settings.
• Webhook signature verification with HMAC-SHA256 and constant-time comparison on Resend, Slack, HubSpot, Linear, GitHub, and Stripe. Replay protection via timestamp windows (Resend, Linear) and delivery-id dedupe (GitHub). See How Ochre verifies inbound webhooks.
• Survey HMAC with a dedicated OCHRE_SURVEY_TOKEN_SECRET, separate from the service role key.
• Role-based access control at the workspace level. See Roles explained.
• Production access controls for Ochre engineers, with short-lived credentials.
• Vendor list with documented purposes and regions. See Requesting our security questionnaire.
• Incident response process with named owners.
• Data portability and deletion under GDPR, handled via concierge. See GDPR and your data rights.

What we do not have today:

• No SOC 2 report.
• No SSO / SCIM / IP allowlist self-serve. These are wired in for Scale customers as a concierge — email hello@ochrehq.com.
• No in-product audit log. State changes that we care about (key rotation, ownership transfers) are recorded in application logs and Stripe / Supabase logs, but there is no audit_log table or UI today.

We would rather list what we have honestly than imply more.

What we will share now

If your security team needs artifacts to evaluate Ochre, email hello@ochrehq.com under NDA and we will send any of the following:

• The current security questionnaire (CAIQ-lite or your own template).
• Sub-processor list with regions.
• Data flow diagram.
• DPA with SCCs.
• Architecture overview of the points covered in Security at Ochre.
• Pen test summary (most recent).

See Requesting our security questionnaire.

What changes when we do start the audit

When we begin the formal SOC 2 process, this article will be updated with the auditor and timeline. Until then, treat any claim of "SOC 2 in progress" attributed to Ochre as wrong, and ask us directly.

Related

• Security at Ochre
• Requesting our security questionnaire
• How workspace isolation works
• Where Ochre stores your data
• GDPR and your data rights