goCloudOffice
Contact Build your IT department

Security

The standard we sell, applied to us first.

Anyone selling security as a service should hold themselves to the same standards they ask their customers to adopt. Here is how we do that.

Certifications

goCloudOffice maintains SOC 2 Type II certification, audited annually by an independent CPA firm. Our most recent report covers the period 2025-11-01 through 2026-04-30 and is available under NDA to qualified prospects.

We are HIPAA-compliant as a business associate for client engagements that involve protected health information. We have signed Business Associate Agreements (BAAs) on file for healthcare clients.

Trust center

Our trust center hosts the documents most prospects ask for: the SOC 2 Type II report, our data processing addendum (DPA), our security questionnaire (CAIQ-Lite), our subprocessor list, and our incident response policy summary. Request access and we'll send a link.

How we run our own IT

The same 360SmartIT operational stack we sell to clients is the one running our own laptops, identity, and cloud services. Eating our own cooking is not optional in this business. Specifically:

  • Identity — Microsoft Entra ID with Conditional Access enforcing MFA + device-trust on every authentication. FIDO2 hardware keys for accounts above a designated risk tier.
  • Endpoints — All devices enrolled in our own RMM (NinjaOne), patched within 14 days of vendor release for non-critical, 72 hours for critical.
  • EDR — Bitdefender GravityZone on every endpoint, 24-hour SOC monitoring of detections.
  • Secrets — All credentials, API tokens, and OAuth secrets in macOS Keychain or in our secrets manager. Never in plaintext files, never in git, never in chat.
  • Backups — Endpoint backup (Acronis) on every managed device, M365 mailbox backup (Datto) for every staff account, point-in-time restore tested quarterly.
  • Logging — Centralized logging from every system (endpoints, identity, cloud, network) into our SIEM, retained 12 months hot, 84 months cold.

Vulnerability disclosure

If you find a security issue in any goCloudOffice property — this site, our customer portal, an exposed configuration, anything — we want to hear from you. Email security@gocloudoffice.com with details.

  • We respond within one business day.
  • We commit to good-faith remediation timelines depending on severity.
  • We do not pursue legal action against good-faith researchers.
  • We're happy to credit researchers in our hall of fame; let us know your preference.

Data handling

Customer data is processed in the United States, on AWS US-West-2 and US-East-1 (production primary + DR), with Cloudflare-fronted edge caching. We do not transmit customer data outside the US without explicit, contracted consent.

Subprocessors are listed in our trust center. Material additions are notified to all customers no fewer than 30 days before they take effect.

Reporting an incident

If you are an active customer and you believe an incident affecting your data is in progress, call (408) 555-0100 and ask for the security team — that line is monitored 24 hours. Don't wait for business hours.