Security

Summary of technical and organizational controls for customer data on UltraOffice.

Compliance & Certifications

  • SOC 2 Type I — in progress. Report expected early June 2026.
  • SOC 2 Type II — observation window begins immediately after Type I is issued.
  • GDPR — compliant; DPA available on request.
  • CCPA (California Consumer Privacy Act) — compliant. CCPA is California law that gives residents rights to know what personal information businesses collect, to request deletion, to opt out of the sale or sharing of personal information (including certain targeted advertising), and to not be discriminated against for exercising those rights. For privacy requests, contact security@ultraoffice.ai.

The control program runs continuously and produces evidence including policies, access reviews, change management, logging, backups, vulnerability scans, and incident response.

Technical controls

Data isolation

Each team has dedicated Google Cloud Storage buckets and encryption keys managed in Google Cloud KMS. IAM policies at the infrastructure layer restrict which principals can read or write each bucket.

One team's objects are not stored in another team's bucket; access is enforced in IAM, not only in application code.

Layered access controls

  • Row-level security in the database filters rows by team
  • Application-layer authorization on requests
  • Infrastructure-level IAM for storage
  • Audit logs for data access

Encryption

  • In transit: TLS 1.3 between browsers and our services
  • At rest: AES-256 for stored objects
  • Keys: Per-team keys in Google Cloud KMS (not a single shared key for all customers)

Authentication & Access

  • Default: email OTP (a one-time code sent to your inbox at each login — no shared password)
  • Enterprise: SSO via SAML 2.0 or OIDC; Just-In-Time (JIT) provisioning; IDP- and SP-initiated flows; domain-claim enforcement
  • Role-Based Access Control (RBAC) with least-privilege defaults
  • Audit logging of authentication and authorization events
  • Session management with configurable timeout and revocation

Google Cloud Platform

Services run on Google Cloud Platform. Relevant published service characteristics include:

  • 99.95% uptime SLA (per Google Cloud product terms where applicable)
  • Multi-region redundant storage in our configuration
  • Backups with point-in-time recovery where enabled

Data use, retention, and export

We do not:

  • Use customer content to train AI models
  • Share customer data with third parties for marketing
  • Access customer data without permission, except for support requests the customer initiates
  • Retain customer data after account deletion beyond a 30-day grace period; after that, deletion is permanent

Export: Customers can download their data in standard formats.

Subprocessors

We publish a subprocessor list of third-party services that process customer data on our behalf. Each listed subprocessor has a signed DPA and a SOC 2 report or equivalent where applicable.

View the full subprocessor list →

Testing & Assurance

  • Dependency scanning via GitHub security advisories and automated upgrade PRs
  • Secret scanning on every commit in CI
  • Quarterly access reviews across in-scope systems
  • Annual disaster recovery tests documenting recovery time objective (target time to restore service) and recovery point objective (maximum acceptable age of data lost in a disaster)
  • Tabletop incident response exercises at least annually

Documents Available Under NDA

The following are available under mutual NDA. Email security@ultraoffice.ai with your company name; we send the NDA and access link.

  • SOC 2 Type I report (once issued)
  • Data Processing Agreement (DPA)

Monitoring and audit logs

We retain audit logs of data access. Monitoring is configured to alert the security team on suspicious activity and on access patterns that indicate possible cross-team access.

Contact

  • Security inquiries, documentation requests, compliance questions: security@ultraoffice.ai
  • Vulnerability reports: security@ultraoffice.ai (responsible disclosure — acknowledged within 2 business days)
  • Enterprise customers: contact us for detailed security documentation, compliance certifications, and custom security reviews

Last updated: April 21, 2026