Dino is building toward full SOC 2 and GDPR compliance. This page is transparent about what we’ve implemented and what’s on our roadmap.
SOC 2 Type II
| Requirement | Status | Details |
|---|---|---|
| Access controls | Implemented | CODEOWNERS, branch protection, PR review requirements |
| Change management | Implemented | 13 CI checks, enforcement checksums (HMAC-SHA256), protected file gate |
| Code review | Implemented | Mandatory PR reviews, adversarial spec review process |
| Vulnerability scanning | Implemented | SonarQube (custom quality gate), Aikido, npm audit, eslint-plugin-security |
| Incident response | Implemented | Documented runbook, severity classification, response timeline |
| Audit logs | Planned (M1.5) | Activity tracking, scan history, configuration change logs |
| Evidence collection | Planned | Automated compliance evidence for auditors |
| Third-party audit | Planned | SOC 2 Type II engagement post-launch |
GDPR
| Requirement | Status | Details |
|---|---|---|
| Data minimization | Implemented | Only scan metadata stored, not API payloads |
| No personal data in reports | Implemented | Reports contain schema structure and findings, not user data |
| Tenant data isolation | Implemented | Strict tenant boundaries, no cross-tenant access |
| LLM redaction | Implemented | Secrets stripped before any data reaches AI providers |
| Data retention policies | Planned | Configurable retention periods per tenant |
| Right-to-deletion | Planned | Tenant data deletion workflow |
| DPA template | Planned | Data Processing Agreement for enterprise customers |
Enterprise Readiness
Implemented
- Tenant isolation
- Secret handling (no secrets in config)
- SSRF protection (7 vulnerabilities found and fixed)
- Executable config blocking
- Supply chain security (provenance, SBOM, audit)
- 13-check CI pipeline
Planned
- Audit logs and activity tracking (M1.5)
- SSO integration (M1.5)
- Role-based access control for dashboard (M1.5)
- BYOI — bring your own infrastructure (M2+)
- On-premise deployment option (M2+)
- SOC 2 Type II audit engagement
Our Approach
We don’t claim compliance we haven’t earned. Instead:- Build the controls first — access management, change control, vulnerability scanning are in place today
- Document honestly — this page tells you exactly what’s ready and what’s not
- Ship incrementally — audit logs, SSO, and formal evidence collection are the next priorities
- Get audited — third-party SOC 2 engagement is planned after the core controls are complete
Questions about Dino’s security posture? Email security@usedino.dev or file a security advisory on GitHub.