Most vendors wave a SOC 2 badge and call it a day. We've been in rooms where a framed certificate on the wall was doing more work than the security team. Certifications tell you someone passed an audit. They don't tell you what happens at 2am when something goes wrong. We'll show you that part too.
SOC 2. HIPAA. ISO 27001. GDPR. CCPA. FedRAMP. These matter. We're not dismissing them. If your compliance team requires specific certifications, we understand. Some industries don't have a choice — healthcare, finance, government. The checkbox is non-negotiable.
But here's what we've learned: a certification is a snapshot of a moment in time. It tells you that on the day of the audit, the right policies were in the right binder. It doesn't tell you whether anyone followed them last Tuesday.
If your org needs the formal certification, we're ready. Let's talk about it. But either way — we'll show you the actual work.
A certificate on the wall tells you someone passed an audit.
We'll show you the runbook for when things break.
These aren't aspirational. This is how we work every day. And we'll prove it.
AES-256 for all stored assets and metadata. Database encryption enabled at the storage layer. Encryption keys are managed separately from data and rotated on schedule.
TLS 1.3 everywhere. All API traffic, all asset transfers, all internal service communication. No exceptions. No fallback to older protocols.
JWT with short-lived tokens. SSO/SAML support. Optional MFA. Password hashing with bcrypt. No plaintext credentials anywhere — not in logs, not in cache, not in error messages.
Role-based permissions with granular controls. Every API endpoint enforces authorization. Admin actions are audit-logged. Permission checks happen server-side, never client-side.
Every significant action is logged with who, what, when, and from where. Logins, uploads, downloads, permission changes, deletions. Immutable. Exportable. Queryable.
Automated vulnerability scanning on every build. Dependencies are pinned, reviewed, and updated on a regular cadence. No phantom dependencies, no abandoned packages.
All user input validated at the boundary. Parameterized queries — no SQL injection. Content-Security-Policy headers — no XSS. File type validation on upload. OWASP Top 10 addressed by architecture, not by hope.
Enforced on authentication, upload, and API endpoints. Configurable per-route. Designed to stop credential stuffing and abuse without blocking legitimate traffic.
Documented runbooks. Defined escalation paths. Tested procedures. Not a PDF in a drawer. A living process that gets exercised and updated. We'll show you the runbook.
Most vendors hand you a one-page security overview and a logo. We hand you the actual documents.
Under NDA, Professional and Enterprise clients get access to our complete security documentation. Not a summary. Not a marketing PDF. The real policies, the real procedures, the real runbooks. Your security team can read exactly what we do and decide for themselves.
Why? Because we'd rather you trust what you've read than trust what we've told you.
| Information Security Policy | Scope, roles, responsibilities, governance |
| Access Control Policy | Authentication, authorization, least privilege, review cadence |
| Incident Response Plan | Detection, triage, escalation, communication, post-mortem |
| Data Handling & Classification | How we store, process, transmit, and dispose of data |
| Business Continuity Plan | Backup strategy, recovery objectives, failover procedures |
| Vulnerability Management | Scanning, patching, disclosure, remediation timelines |
| Third-Party Risk Assessment | How we evaluate vendors and dependencies |
| Penetration Test Results | Findings and remediation status from third-party testing |
Policies written. Controls implemented. Documentation complete. The only thing between us and the formal stamp is writing the auditor a check. If your org requires a specific certification, we'll get it. The hard part is already finished.
Audit-ready. Controls are implemented, documented, and operational. Policies, evidence collection, and monitoring are in place. The formal audit is a scheduling and billing exercise — not a scramble. If your procurement team needs the report, talk to us and we'll engage the auditor.
Fully supported. PHI safeguards built into the architecture. Encryption, access controls, audit logging, and BAA available for Enterprise clients. Self-hosted gives you complete control over PHI. Need the formal compliance letter? Same answer — we're ready when you are.
ISMS documentation is complete. Policies, risk assessments, controls, and the statement of applicability are written and in use. Not aligned. Not "following the framework." Done. The certification is a formality we'll complete when a client needs it on paper.
Compliant by design. Data minimization, right to erasure, data portability, and processing records built into the platform. DPA available on request. Not an afterthought — the architecture was built with GDPR from day one.
Supported. User data export, deletion requests, and opt-out mechanisms are operational. Self-hosted deployments give you direct control over data residency and jurisdiction.
Your infrastructure. Your jurisdiction. Your rules. When your compliance team says data can't leave the building, you don't need a certification — you need control. We give you the software. You decide where it lives.
The bottom line: We didn't skip the work and promise to do it later. The policies are written. The controls are running. The documentation is finished. Formal certification is a billing event, not a project. Go ask your CTO. Then ask your CFO. We'll be here.
"Where is my data stored?"
Wherever you want it. Self-hosted means your servers, your cloud, your choice of region. Managed hosting uses Cloudflare R2 with configurable data residency. You pick the jurisdiction.
"Can we do a security review before buying?"
Yes — once we're in active discussions. We share full documentation under NDA with qualified prospects who have a real use case and a real timeline. We're happy to open the books. We just need to know who we're opening them to.
"Do you have pen test results?"
Yes, and we'll share them. Third-party penetration test results, findings, and remediation status are included in the NDA documentation package.
"What happens if there's a breach?"
We have a documented incident response plan — and we'll show it to you. Defined roles, escalation paths, communication timelines, and post-mortem process. Not a theoretical document. A practiced one.
"Does AI processing send our data to third parties?"
Only if you choose a cloud AI provider. Use Ollama and your data never leaves your network. Use Claude or GPT and data is sent to those providers per their terms. You choose. We don't make the decision for you.
"Why don't you have formal SOC 2 / ISO certification yet?"
Because we did the work before we wrote the check. Most startups buy the audit first and scramble to pass it. We built the controls, wrote the policies, and documented everything first. The formal certification happens when a client needs it — and it'll be a formality, not a fire drill. In the meantime, we'll show you the actual documentation. That's better than a logo.
Full security documentation — policies, runbooks, pen test results — is available under NDA to clients and prospects we're actively working with. The first step is a conversation. Tell us about your requirements and we'll set up a call with our engineering team. No sales rep. No slide deck. Just the people who built it.
Security practices described on this page reflect the current state of the BETTER! platform and are subject to change as we improve. Compliance framework statuses are accurate as of March 2026. Specific security documentation is available under NDA to qualified prospective and current clients. All product names and trademarks belong to their respective owners.