SOC 2 Type II report
Most-recent annual report. Released under a mutual NDA. Request via [email protected].
Trust at DIDHub
DIDHub serves regulated enterprises across 130+ jurisdictions. This page summarizes the controls, certifications, and operational practices that protect customer data and the voice/SMS plane that runs on top of it.
Last updated: 2026-04-25.
1. Certifications & attestations
| Framework | Status | Scope |
|---|---|---|
| SOC 2 Type II | In place | Annual third-party audit; covers Security, Availability, and Confidentiality criteria. Report available under NDA. |
| ISO/IEC 27001 | Certified | Information Security Management System covering production infrastructure, customer data handling, and personnel. |
| GDPR (EU) / UK GDPR | Compliant | Standard DPA available; sub-processor list published below; SCCs for non-EU transfers. |
| CCPA / CPRA (California) | Compliant | Privacy notice + consumer rights handling. |
| HIPAA (US) | Available with BAA | BAA signing on Enterprise plans for covered entities and business associates. |
| PCI-DSS | Outsourced | DIDHub does not store or process raw cardholder data. Payment processing delegated to PCI-DSS Level 1 compliant payment processor. |
| STIR/SHAKEN (US/CA) | Operating with Attestation A | Calls signed end-to-end on US/CA outbound; CA-level identity certificate from approved STI-CA. |
Telecom regulator registrations per country are listed on /regulatory.
2. Documents & reports — what you can request
ISO 27001 certificate
Public PDF available on request — includes scope, certifying body, expiry.
Penetration test summary
Annual independent network and application pen test. Executive summary released under NDA.
Data Processing Agreement (DPA)
Standard Article 28 DPA + EU SCCs as Annex. Counter-signed within 5 business days. Details below.
Business Associate Agreement (BAA)
For HIPAA-covered customers on Enterprise plans.
Vendor security questionnaire
Pre-filled SIG Lite / CAIQ-Lite responses available — saves your security team a few weeks.
3. Sub-processors
DIDHub maintains a current list of all third parties that may process customer data, the purpose for each, and the regions in which they operate. We commit to publishing changes at least 30 days before a new sub-processor begins processing customer data, giving you time to object.
4. Security controls — summary
Encryption
TLS 1.2+ for all transport. SRTP for voice media on supported endpoints. AES-256 at rest for application data and backups. Customer SBC traffic encrypted end-to-end where the far-end supports it.
Edge protection
WAF, DDoS mitigation, and TLS termination at a global anycast edge. Rate-limiting, IP reputation, and bot-management policies applied at the edge before requests reach origin.
Identity & access
SSO/OIDC for dashboard (Google, Microsoft, Okta, generic OIDC). MFA enforced for staff access to production. Just-in-time elevation; access reviewed quarterly.
Infrastructure
Serverless edge compute, isolated managed databases, no shell access to production by default. Infrastructure-as-code with peer review on every change.
Monitoring & logging
Centralized log aggregation, anomaly detection, and 24×7 on-call rotation. Audit logs for all admin and API actions retained 12 months minimum.
Backups & resilience
Multi-region redundant data plane. Daily backups, 30-day retention, periodic restore drills. Voice has independent failover routes per country.
Secure SDLC
Mandatory peer review, static analysis, dependency-vulnerability scanning, and secrets-scanning on every change. Production deploys gated on CI checks.
Personnel
Background checks for production-access roles. Annual security awareness training. Confidentiality obligations in every employment / contractor agreement.
For deeper technical detail (specific controls, key management, hardening baselines), our System Description and Customer Security Whitepaper are available on request to [email protected].
5. Architecture & data residency
DIDHub operates a region-aware data plane. By default, customer data is processed and stored in the region matching the customer's billing entity and their DIDs:
| Customer region | Data plane | Voice media region |
|---|---|---|
| EU / UK | EU (Frankfurt + Amsterdam) | EU SBC pool |
| United States / Canada | NOAM (US-East + US-West) | NOAM SBC pool |
| APAC | APAC (Singapore + Tokyo) | APAC SBC pool |
| MENA | MENA (Dubai), with EU fallback | MENA SBC pool |
| LATAM | NOAM (with regional egress) | LATAM SBC pool |
Single-tenant SBC pools and dedicated regions are available for customers with strict residency requirements (German federal, French OIV, UK FCA, Indian critical-infrastructure, US healthcare). Talk to us about the specific regulatory profile.
A more detailed architecture overview — covering data flow, system components, and trust boundaries — is available on request.
6. Data Processing Agreement (DPA)
DIDHub offers a standard Article 28 DPA covering processor obligations, sub-processor management, security measures, breach notification, and data subject rights. EU Standard Contractual Clauses (SCCs, 2021/914) are attached as Annex II for non-EU transfers, and the UK IDTA / Addendum is available for UK transfers.
Most customers don't need a custom DPA — our standard form is signed by EU enterprises and US healthcare alike. To execute:
- Email [email protected] with your billing entity name and a contact for signature.
- We send the standard DPA + SCCs (DocuSign).
- You sign; we counter-sign within 5 business days.
If your legal team requires markup of our standard form, we accept redlines on Enterprise plans.
7. Vulnerability disclosure
If you have discovered a security issue affecting DIDHub, we want to hear from you. Email [email protected] with:
- A clear description of the issue and its impact.
- Steps to reproduce, or a proof-of-concept.
- The systems / endpoints affected.
- Optionally, a PGP-encrypted message — our key fingerprint is available on request.
We commit to an initial response within 2 business days. Good-faith security research is welcomed under our Safe Harbor: we won't pursue legal action against researchers who follow responsible-disclosure practices, give us reasonable time to remediate, and avoid privacy violations or service disruption while testing.
Out of scope: social engineering of staff or customers, physical attacks on offices, denial-of-service, automated scanner output without analysis, and findings on third-party platforms (report those to the relevant vendor).
8. Trust & security contact
For questionnaires, audit-evidence requests, BAAs, DPAs, or anything else listed above, write to [email protected]. For real-time security incidents affecting your account, page our 24×7 SOC at [email protected].
Ready to get a number?
Pick a DID in 130+ countries from $1.99/month. Activates instantly on most numbers.