Account Contact Build your IT department

Security

The standard we sell, applied to us first.

Anyone selling security as a service should hold themselves to the same standards they ask their customers to adopt. Here is how we do that.

Certifications

goCloudOffice maintains SOC 2 Type II certification, audited annually by an independent CPA firm. Our most recent report covers the period 2025-11-01 through 2026-04-30 and is available under NDA to qualified prospects.

We are HIPAA-compliant as a business associate for client engagements that involve protected health information. We have signed Business Associate Agreements (BAAs) on file for healthcare clients.

Trust center

Our trust center hosts the documents most prospects ask for: the SOC 2 Type II report, our data processing addendum (DPA), our security questionnaire (CAIQ-Lite), our subprocessor list, and our incident response policy summary. Request access and we will send a link.

How we run our own IT

The same 360SmartIT Department operational stack we sell to clients is the one running our own laptops, identity, and cloud services. Eating our own cooking is foundational to how we operate. Specifically:

  • Identity — Microsoft Entra ID with Conditional Access enforcing MFA + device-trust on every authentication. FIDO2 hardware keys for accounts above a designated risk tier.
  • Endpoints — All devices enrolled in our own RMM (NinjaOne), patched within 14 days of vendor release for non-critical, 72 hours for critical.
  • Endpoint security — Bitdefender GravityZone on every endpoint (managed anti-malware + endpoint protection, baseline-enforced via the 360SmartIT Department base).
  • EDR + 24/7 SOC — we run our own 360CyberProtect MDR add-on on top of the base: behavioral detection, active response, and human SOC analyst review of every elevated alert. The same package any customer can layer on at their computer count.
  • Secrets — All credentials, API tokens, and OAuth secrets stored exclusively in macOS Keychain or our secrets manager. Plaintext files, git repositories, and chat surfaces are out of bounds.
  • Backups — Endpoint backup (Acronis) on every managed device, M365 mailbox backup (Datto) for every staff account, point-in-time restore tested quarterly.
  • Logging — Centralized logging from every system (endpoints, identity, cloud, network) into our SIEM, retained 12 months hot, 84 months cold.

Vulnerability disclosure

If you find a security issue in any goCloudOffice property — this site, our customer portal, an exposed configuration, anything — we want to hear from you. Submit it through our trust portal, where our security posture and vulnerability-disclosure intake live.

  • We respond within one business day.
  • We commit to good-faith remediation timelines depending on severity.
  • We do not pursue legal action against good-faith researchers.
  • We are happy to credit researchers in our hall of fame; let us know your preference.

Data handling

Customer data is processed in the United States, on AWS US-West-2 and US-East-1 (production primary + DR), with Cloudflare-fronted edge caching. Customer data stays within the United States by default; international transfer requires your explicit, contracted consent.

Subprocessors are listed in our trust center. Material additions are notified to all customers no fewer than 30 days before they take effect.

Reporting an incident

If you are an active customer and you believe an incident affecting your data is in progress, reply to any goCloudOffice email or use the support address in your welcome packet with "INCIDENT" in the subject line, then reach our support portal. Our team monitors these continuously, and we treat confirmed incidents as our top priority. For the fastest acknowledgement, include your company name, the systems affected, and what you are observing.