2Lines Software — Trust Center
Last updated: February 21, 2026
Our Commitment to Security
2Lines Software builds and operates cloud-based software for our clients. We take the security of our systems and our clients' data seriously. This Trust Center provides an overview of our security practices, compliance posture, and commitments.
Compliance Status
| Program | Scope | Status |
|---|---|---|
| SOC 2 Type I | Security, Confidentiality | Audit-ready; engagement pending |
We have implemented a comprehensive compliance program covering 40 Trust Service Criteria controls across Security (CC1-CC9) and Confidentiality (C1). Our compliance framework is assessed and maintained on an ongoing basis.
Security Practices
Access Control
We enforce strict access controls across all systems:
- Multi-factor authentication (MFA) is required for all user accounts
- Role-based access controls limit permissions to what is necessary for each role
- Access grants are reviewed quarterly and revoked promptly when no longer needed
- Service accounts are inventoried and unused credentials are removed
Encryption
We protect data in transit and at rest:
- All web traffic is encrypted using TLS 1.2 or higher
- Data at rest is encrypted using AES-256 encryption
- Encryption keys are managed through dedicated key management services
- SSL certificates are issued by trusted Certificate Authorities with automated renewal
Change Management
We follow controlled processes for all system changes:
- All code changes require review through pull requests before deployment
- Automated CI/CD pipelines enforce testing, linting, and security scanning before merge
- Branch protection rules prevent direct commits to production branches
- Emergency changes follow a documented expedited process with post-incident review
Monitoring and Logging
We maintain visibility into our systems:
- Centralized logging with 365-day retention across all production environments
- Automated security alerts for suspicious activity, authentication failures, and configuration changes
- Regular vulnerability scanning of all public-facing applications
- Quarterly penetration testing of production infrastructure
Incident Response
We maintain a documented incident response plan:
- Defined severity levels with corresponding response procedures
- Notification to affected parties within 72 hours of confirmed incidents
- Post-incident reviews to identify root causes and prevent recurrence
- Cyber insurance coverage for incident response support
Business Continuity
We design for resilience:
- Automated database backups with defined recovery objectives
- Disaster recovery procedures documented and maintained
- Cloud infrastructure deployed across managed services with built-in redundancy
- Recovery time and recovery point objectives defined for all critical systems
Data Handling
Where Data Resides
All production data is hosted in North American data centers through enterprise-grade cloud providers. We do not process or store data in regions outside of North America unless specifically agreed upon with clients.
Data Classification
We classify data into four levels — Critical, Sensitive, Internal, and Public — with controls appropriate to each level. Client data is classified as Sensitive or Critical depending on its nature, and is protected accordingly.
Data Retention and Disposal
Data is retained only as long as necessary for business purposes or as required by contractual obligations. When data is no longer needed, it is securely deleted using methods appropriate to the storage medium.
Vulnerability Management
We conduct regular security assessments of our infrastructure:
- Automated vulnerability scanning against all public-facing URLs
- Dependency scanning for known vulnerabilities in third-party libraries
- Secret scanning to prevent accidental credential exposure
- Remediation tracked and prioritized by severity
Our most recent scan (February 2026) found zero critical, high, or medium vulnerabilities across all production targets.
Subprocessors
We use the following third-party services in delivering our products:
| Provider | Purpose |
|---|---|
| Google Cloud Platform | Cloud infrastructure, compute, database, and storage |
| GitHub | Source code management, CI/CD, and collaboration |
| Google Workspace | Business email, identity management, and collaboration |
| 1Password | Secrets and credential management |
| Cloudflare | DNS management and CDN |
| Zensurance | Cyber insurance |
Governance
Policies
We maintain 12 security policies covering information security, access control, encryption, change management, incident response, risk assessment, vendor management, data classification, acceptable use, business continuity, logging and monitoring, and security training. All policies are reviewed and approved annually.
Training
All personnel complete annual security awareness training covering topics including secure coding practices, phishing awareness, data handling, and incident identification.
Risk Assessment
We conduct formal risk assessments to identify, evaluate, and mitigate risks to our systems and data. Risks are scored and tracked through a documented process with regular review.
Contact
For security inquiries, to request our compliance documentation under NDA, or to report a security concern:
Email: john@2linessoftware.com
2Lines Software is committed to maintaining the trust our clients place in us. This page reflects our current security posture and is updated as our program evolves.