Compliance - Dino

Dino is building toward full SOC 2 and GDPR compliance. This page is transparent about what we’ve implemented and what’s on our roadmap.

SOC 2 Type II

Requirement	Status	Details
Access controls	Implemented	CODEOWNERS, branch protection, PR review requirements
Change management	Implemented	13 CI checks, enforcement checksums (HMAC-SHA256), protected file gate
Code review	Implemented	Mandatory PR reviews, adversarial spec review process
Vulnerability scanning	Implemented	SonarQube (custom quality gate), Aikido, npm audit, eslint-plugin-security
Incident response	Implemented	Documented runbook, severity classification, response timeline
Audit logs	Planned (M1.5)	Activity tracking, scan history, and configuration change logs
Evidence collection	Planned	Automated compliance evidence for auditors
Third-party audit	Planned	SOC 2 Type II engagement post-launch

GDPR

Requirement	Status	Details
Data minimization	Implemented	Only scan metadata stored, not API payloads
No personal data in reports	Implemented	Reports contain schema structure and findings, not user data
Tenant data isolation	Implemented	Strict tenant boundaries, no cross-tenant access
LLM redaction	Implemented	Secrets stripped before any data reaches AI providers
Data retention policies	Implemented	Configurable retention periods per tenant
Right-to-deletion	Implemented	Tenant data deletion workflow
DPA template	Implemented	Data Processing Agreement for enterprise customers

Our Approach

We don’t claim compliance we haven’t earned. Instead:

Build the controls first: access management, change control, and vulnerability scanning are in place today

Document honestly: this page tells you exactly what’s ready and what’s not

Ship incrementally: audit logs, SSO, and formal evidence collection are the next priorities

Questions about Dino’s security posture? Email security@usedino.dev or file a security advisory on GitHub.

Documentation Index