SOC2 Alignment & Data Security

SOC2-aligned security, implemented as architecture.

SOC2 (Service Organization Controls Type 2) is an AICPA auditing framework covering Security, Availability, Processing Integrity, Confidentiality, and Privacy. InWork Global implements the controls SOC2 requires without currently holding a formal SOC2 Type 2 report. We are moving toward formal certification.

SOC2-aligned practicesMFA + RBACAES-256 / TLS 1.3OWASP-reviewed

Schedule a security review Request a proposal

SOC2-aligned security and data architecture

InWork's SOC2 position

Aligned controls, transparent status.

SOC2 (Service Organization Controls Type 2) is an auditing framework developed by the AICPA. It assesses a service organization's controls around Security, Availability, Processing Integrity, Confidentiality, and Privacy.

InWork Global operates under SOC2-aligned practices — we implement the controls that SOC2 requires without currently holding a formal SOC2 Type 2 report. We are moving toward formal certification, and we state that position plainly rather than overclaiming.

Security controls we implement

The controls behind the alignment.

Access control

MFA on all internal systems, RBAC on all platforms, least-privilege access, quarterly access review, and immediate access revocation on offboarding.

Encryption

AES-256 for all data at rest, TLS 1.3 for all data in transit, encrypted database backups, and key management via AWS KMS or Azure Key Vault.

Infrastructure security

Production on AWS or Azure (SOC2 Type 2 certified infrastructure), private VPCs with security groups and NACLs, no public database endpoints, WAF on all public-facing endpoints, and regular vulnerability scanning.

Monitoring & incident response

Centralized log management, automated alert thresholds for unusual access patterns, an incident response plan with defined escalation, and a security incident register.

Development security

Security inside the build pipeline.

OWASP Top 10 addressed in all code reviews

Dependency scanning (npm audit, Snyk)

No secrets in code — environment variables only

Separate dev, staging, and production environments

Production access restricted to senior engineers

All code goes through peer review before merge

Control domains

How each SOC2 area is covered.

The five Trust Services Criteria and the practices that back each one.

CriterionWithout architectureInWork-aligned practice

SecurityShared logins, broad access✓ MFA, RBAC, least privilege, quarterly access review

AvailabilitySingle environment, no isolation✓ Private VPCs, WAF, monitoring, defined incident response

ConfidentialityPlaintext at rest, secrets in code✓ AES-256 at rest, TLS 1.3 in transit, no secrets in source

Processing integrityDirect-to-prod changes✓ Peer review before merge, separated dev/staging/prod

SOC2-aligned

Moving toward formal certification

InWork operates with SOC2-aligned security practices — access controls, encryption in transit and at rest, incident response, and security monitoring. We do not hold a formal SOC2 Type 2 certification at this time.

Compliance & SecurityFull regulatory coverage OWASP Top 10Application security HIPAA-Aware DevelopmentPHI handling & BAA InfrastructureCloud & platform engineering

Compliance by design

Ship on infrastructure built to a security standard.

Every InWork engagement includes a security architecture review at no extra cost. Tell us about your data and your threat model.

Integrity. Urgency. Ownership.

Schedule a security review Request a proposal

40+ US businesses served · 65+ engineers · Zero long-term lock-in