Operated by Centinel Trust | Product: DocupletionForms.com
Last updated: October 15, 2025 | Contact: james@docupletionforms.com
DocupletionForms is built for law firms and regulated professionals who require structured security controls, documented governance, and operational transparency. Our control environment aligns with SOC 2 Trust Services Criteria covering Security, Availability, Confidentiality, and Processing Integrity.
Overview
DocupletionForms.com operates within a structured control environment designed to protect client data and administrative access. All administrative systems require VPN access and multi-factor authentication. No public administrative endpoints are exposed.
Encryption is enforced in transit and at rest. System monitoring, backup validation, and access reviews are performed according to defined operational schedules.
Key Technical Controls
Encryption
TLS 1.2 or higher for data in transit
AES-256 encrypted daily backups
Encrypted S3 storage
Access Security
Outline VPN required for administrative access
Multi-factor authentication enforced
SSH key based access control
Monitoring
Imunify360 malware detection
AIDE file integrity monitoring
Log review conducted monthly
Backups and Validation
Daily encrypted backups using JetBackup 5
Weekly S3 validation
Monthly restore test documentation
Policy Framework
Information Security Policy
HTTPS enforced across all systems. VPN restricted administrative access. Monthly log review. Annual policy review.
Access Control Policy
Least privilege model. Quarterly access review. Deprovisioning within 24 hours when access is no longer required.
Data Retention and Disposal Policy
Application data retained up to 3 years unless contractually extended. Backups rotate every 30 days. No production data stored on unmanaged devices.
Incident Response Policy
Alerts reviewed within 24 hours. Confirmed incidents logged and remediated immediately. Client notification within 72 hours when required.
Vendor Risk Management Policy
Critical vendors publish security documentation and undergo annual review.
Operational Practices
Review Cadence
Backup restore test - Monthly
Log review - Monthly
Access control review - Quarterly
Policy review - Annually
Account Hygiene
Password length >= 12 characters
Password manager required
MFA enforced
Change Control
All production changes logged
Pre-update backup snapshot required
Approved Vendors and Systems
AWS - Infrastructure and S3 storage
cPanel and WHM - Server management
JetBackup 5 - Backup management
Imunify360 - Malware detection
AIDE - File integrity monitoring
Outline VPN - Administrative gateway
Google Workspace - Identity and MFA
Logs and Review Records
Access Review Log - Internal
Incident Log - Internal
Policy Review Log - Internal
Backup Restore Test Notes - Internal
Each record includes date, reviewer, and summary result for audit consistency.
Readiness and Disclosure
DocupletionForms maintains a SOC 2 aligned control set appropriate for a growing SaaS platform. As institutional volume increases, Centinel Trust plans to engage Vanta and an independent auditor for SOC 2 Type I and Type II certification. Additional documentation is available under NDA upon request.
Pathway to SOC 2 - Current Status
Implemented Controls
Daily system report with 90 day retention
Logrotate compression and retention enforcement
AIDE scheduled file integrity monitoring
SSH key based access control
MFA enforced for WHM and cPanel
Next Phase Improvements
Automated alerting for backup failures and anomaly detection