Security & Compliance

Security and Compliance Trust Center

Operated by Centinel Trust  |  Product: DocupletionForms.com
Last updated: October 15, 2025  |  Contact: james@docupletionforms.com

DocupletionForms is built for law firms and regulated professionals who require structured security controls, documented governance, and operational transparency. Our control environment aligns with SOC 2 Trust Services Criteria covering Security, Availability, Confidentiality, and Processing Integrity.

SOC 2-aligned controls TLS 1.2+ in transit AES-256 at rest MFA enforced
Overview

A structured control environment

DocupletionForms.com operates within a structured control environment designed to protect client data and administrative access. All administrative systems require VPN access and multi-factor authentication. No public administrative endpoints are exposed.

Encryption is enforced in transit and at rest. System monitoring, backup validation, and access reviews are performed according to defined operational schedules.

Key technical controls

How systems and data are protected

Encryption

  • TLS 1.2 or higher for data in transit
  • AES-256 encrypted daily backups
  • Encrypted S3 storage

Access Security

  • Outline VPN required for administrative access
  • Multi-factor authentication enforced
  • SSH key based access control

Monitoring

  • Imunify360 malware detection
  • AIDE file integrity monitoring
  • Log review conducted monthly

Backups and Validation

  • Daily encrypted backups using JetBackup 5
  • Weekly S3 validation
  • Monthly restore test documentation
Policy framework

Documented governance

Information Security Policy

HTTPS enforced across all systems. VPN restricted administrative access. Monthly log review. Annual policy review.

Access Control Policy

Least privilege model. Quarterly access review. Deprovisioning within 24 hours when access is no longer required.

Data Retention and Disposal Policy

Application data retained up to 3 years unless contractually extended. Backups rotate every 30 days. No production data stored on unmanaged devices.

Incident Response Policy

Alerts reviewed within 24 hours. Confirmed incidents logged and remediated immediately. Client notification within 72 hours when required.

Vendor Risk Management Policy

Critical vendors publish security documentation and undergo annual review.

Operational practices

Run on defined schedules

Review Cadence

  • Backup restore test — Monthly
  • Log review — Monthly
  • Access control review — Quarterly
  • Policy review — Annually

Account Hygiene

  • Password length ≥ 12 characters
  • Password manager required
  • MFA enforced

Change Control

  • All production changes logged
  • Pre-update backup snapshot required
Approved vendors & systems

The stack behind the controls

AWSInfrastructure and S3 storage
cPanel & WHMServer management
JetBackup 5Backup management
Imunify360Malware detection
AIDEFile integrity monitoring
Outline VPNAdministrative gateway
Google WorkspaceIdentity and MFA
Logs & review records

Evidence kept for audit consistency

Access Review LogInternal
Incident LogInternal
Policy Review LogInternal
Backup Restore Test NotesInternal

Each record includes date, reviewer, and summary result for audit consistency.

Readiness & disclosure

Built to scale into certification

DocupletionForms maintains a SOC 2 aligned control set appropriate for a growing SaaS platform. As institutional volume increases, Centinel Trust plans to engage Vanta and an independent auditor for SOC 2 Type I and Type II certification. Additional documentation is available under NDA upon request.

Pathway to SOC 2 — current status

Implemented now, and what’s next

Implemented Controls

  • Daily system report with 90 day retention
  • Logrotate compression and retention enforcement
  • AIDE scheduled file integrity monitoring
  • SSH key based access control
  • MFA enforced for WHM and cPanel