Pathway to SOC 2

Security & Compliance Overview

Operated by Centinel Trust • Product: DocupletionForms.com
Last updated: • Contact: james@docupletionforms.com

Overview

DocupletionForms.com, operated by Centinel Trust, aligns with SOC 2 Trust Services Criteria — Security, Availability, Confidentiality, and Processing Integrity. Administrative and developer access is restricted behind VPN and multi-factor authentication to safeguard client and system data.

Privileged Access Gateway: Administrative access to AWS/WHM and the cPanel-hosted application is restricted via the Outline VPN with MFA. No public administrative endpoints are exposed.

Key Technical Controls

Encryption

  • TLS 1.2+ enforced for data in transit
  • JetBackup 5 performs AES-256 encrypted daily backups (active)

Access Security

  • Outline VPN required for all admin logins (AWS/WHM and cPanel)
  • MFA via Google Authenticator on app, WHM, and cPanel

Monitoring

  • Imunify360 for malware and file integrity monitoring
  • Server and application access logs retained for ≥ 90 days

Backups

  • Daily encrypted backups using JetBackup 5
  • Weekly S3 integrity checks
  • Monthly restore tests documented in backup logs

Policy Summaries

1) Information Security Policy

All systems utilize secure HTTPS/TLS and VPN-restricted access. Imunify360 continuously monitors for anomalies. JetBackup 5 provides encrypted daily backups. Logs and alerts are reviewed monthly. Annual reviews are conducted by the Compliance Officer.

2) Access Control Policy

Least-privilege access is enforced with unique accounts and MFA. Administrative access requires VPN authentication. Access is reviewed quarterly, and deprovisioning of inactive users occurs within 24 hours.

3) Data Retention & Disposal Policy

Customer data for the DocupletionForms application (hosted in cPanel) is retained for up to [X years] unless required longer by law/contract. Backups are rotated every 30 days and securely deleted thereafter. No production data is stored on unmanaged personal devices.

4) Incident Response Policy

Alerts from Imunify360 or system logs are reviewed within 24 hours. Confirmed incidents are logged and remediated immediately. Affected clients are notified within 72 hours of confirmation, as applicable.

5) Vendor Risk Management Policy

All critical vendors maintain public security documentation. Vendors are reviewed annually for security posture and contract compliance.

Operational Practices

Review Cadence

  • Backup restore test – Monthly
  • Log and anomaly review – Monthly
  • Access control review – Quarterly
  • Policy updates – Annually

Account Hygiene

  • Passwords ≥ 12 characters
  • Bitwarden/1Password recommended for credential storage
  • MFA enforced across all admin systems

Change Control

  • Service changes logged in changelog
  • Pre-update backup snapshots required

Approved Vendors & Systems

  • AWS – Infrastructure and S3 storage
  • cPanel/WHM – Server & application management
  • JetBackup 5 – Encrypted backups (active)
  • Imunify360 – Malware / file integrity monitoring
  • Outline VPN – Admin access gateway
  • Google Workspace – Identity & MFA

Logs & Review Records

  • Access Review Log – Internal (Google Drive)
  • Incident Log – Internal (Google Drive)
  • Policy Review Log – Internal (Google Drive)
  • Backup Restore Test Notes – Internal (Google Drive)

Each log records date, reviewer, and summary result for audit consistency.

Readiness & Disclosure

DocupletionForms.com, operated by Centinel Trust, maintains a SOC-2-aligned control set suitable for small teams. As client and institutional volume scales, Centinel Trust plans to engage Vanta and a third-party auditor for full SOC 2 Type I/II certification. We welcome security questionnaires and provide additional details under NDA.


© 2025 Centinel Trust • DocupletionForms.com • All rights reserved.