Security Controls & Compliance

Last updated: April 2, 2026 — Comprehensive framework of security controls, compensating measures, and compliance status

Control Framework Overview

Drafted maintains a comprehensive security control framework covering 11 key control areas. This framework aligns with industry standards (SOC 2, ISO 27001, NIST CSF) and addresses enterprise client requirements, vendor compliance questionnaires, and regulatory obligations.

Total Control Areas: 11 | Active Controls: 7 | Compensating Controls: 4

Active Security Controls (7/11)

a) External Policy or Notice to Public

Privacy Policy, Terms of Service, and Information Security Policy published or available upon request

b) Written Internal Policies & Procedures

Comprehensive policies covering information security, modern slavery prevention, code of conduct, and vendor management

c) Internal Audits of Security Program

Firestore Security Rules reviewed pre-deployment, access controls spot-checked, annual risk assessment cycle

e) Risk Assessment & Management Process

Annual risk assessment across IT, privacy, reputation, business continuity, labor/human rights, and compliance

f) Service Provider Data Protection Process

Vendor vetting checklist, DPAs, annual compliance attestations, right to audit, sub-processor monitoring

g) Incident Response Procedures

Severity classification (Critical/High/Medium/Low), escalation procedures, 72-hour breach notification, non-retaliation policy

h) Change Management Process

Code review for all changes, staging environment testing, immutable deploy artifacts, security impact review

Compensating Controls (4/11 with Risk Mitigation)

d) Third-Party Security Audits

Status: Not currently conducted. Compensation: Netlify (SOC 2 Type II), Google Cloud (ISO 27001, SOC 1/2/3), AWS (FedRAMP High) certifications cover 95%+ of infrastructure. External vulnerability reporting program provides continuous assessment. npm audit + GitHub Dependabot monitor dependencies.

i) Mobile Device Policy

Status: Not applicable. Compensation: Cloud-native architecture (no local data storage), all access via encrypted HTTPS, no BYOD program, no mobile app in scope, device encryption + MFA + secure Wi-Fi standards enforced.

j) Telecommuting Security Policy

Status: Partially documented. Compensation: Cloud-native architecture eliminates remote-specific risks, MFA + device encryption + secure Wi-Fi required, no sensitive data stored locally, confidentiality agreements address physical security.

k) Resource Monitoring & Capacity Planning

Status: Handled by cloud providers. Compensation: Netlify, Firebase, and AWS auto-scaling manage capacity automatically. Monitoring via provider dashboards + billing alerts. No manual provisioning needed.

Infrastructure Provider Certifications

Netlify — SOC 2 Type II

Web hosting, CDN, serverless functions. Audited by Big Four accounting firm. Trust page: https://www.netlify.com/trust

Google Cloud / Firebase — ISO 27001, SOC 1/2/3

Firestore database, authentication, storage. Multiple annual independent audits. Trust page: https://cloud.google.com/security/compliance

AWS Bedrock — FedRAMP High

AI inference and model invocation. Most rigorous government compliance standard. Trust page: https://aws.amazon.com/compliance

Data Security Architecture

Encryption in Transit: TLS 1.2+ enforced on all endpoints (Netlify CDN edge)

Encryption at Rest: AES-256 encryption managed by Google Cloud KMS for all Firestore and Storage data

Secret Management: All API keys and service credentials stored exclusively in Netlify's encrypted environment variable store, never in source code. Rotated upon personnel changes or suspected exposure.

Access Control: Firebase Authentication with email-verified sessions, Role-Based Access Control (RBAC) at Firestore Security Rules layer, principle of least privilege for all service accounts, MFA for sensitive operations, automatic session invalidation.

Vendor & Third-Party Security Requirements

All vendors undergo security assessment before engagement:

  • Background and reputation checks
  • Compliance certification verification (SOC 2, ISO 27001, or equivalent)
  • Reference checks with existing clients
  • Written security requirements in Data Processing Agreements (DPAs)
  • Annual compliance attestations and right-to-audit

Incident Response Framework

Critical

Immediate (within 1 hour)

Unauthorized database access, credential compromise, data breach confirmation

High

Within 4 hours

Suspected unauthorized access, API key exposure, security control failure

Medium

Within 24 hours

Failed security controls, anomalous patterns, policy violations

Low

Within 72 hours

Minor policy exceptions, informational findings, process improvements

Breach Notification: Affected individuals and clients notified within 72 hours of confirmed data breach.

Employee & Contractor Security Obligations

  • All personnel sign confidentiality agreements before accessing systems
  • Security training provided upon hire and annually
  • Background checks conducted for roles with sensitive data access
  • Access provisioned on need-to-know basis and revoked upon departure
  • Violations subject to documented disciplinary action
  • Multi-factor authentication required for all platform access
  • Secure Wi-Fi or VPN required for remote work
  • Device encryption enabled (macOS FileVault, Windows BitLocker)
  • Password managers enforced for credential storage

Compliance & Contact Information

Security Incidents: security@joindrafted.com

Privacy Requests: privacy@joindrafted.com

Legal & Compliance: legal@joindrafted.com

General Contact: hello@joindrafted.com

This control framework demonstrates Drafted's commitment to enterprise-grade security practices.
Contact us for detailed security documentation or audits.