Elofyn

//05 — Trust center  ·  /security

Trust center · live

Security & Trust.

SOC 2Type I readinessin progressGDPR + DPDP Actin forceLast reviewed

Elofyn Solutions Pvt Ltd ships software from a small studio in India. This page lists, in plain English, what we do today to keep customer and visitor data safe, what we are working toward, and how to reach a human when something breaks. It is a single page on purpose — if anything reads ambiguous, write to security@elofyn.com.

## 01 / SOC 2 readiness

We are mid-way through a SOC 2 Type I readiness assessment, with the target audit window opening in Q4 2026. The scope we are taking into the audit covers the three Trust Services Criteria categories most relevant to a hosted product surface — Security, Availability, and Confidentiality — and explicitly excludes the Processing Integrity and Privacy categories from the v1 attestation. Privacy is handled in parallel by the GDPR + DPDP Act notice at /policies/privacy; Processing Integrity is out of scope while the only paid surface (Dev Snippets API) is still pre-1.0.

Until the Type I report is issued, this page IS the attestation: every control we name here is enforceable today, and Stage 4 QA verifies that the technical claims (TLS version, HSTS header, backup cadence) match the running infrastructure on every release.

Status:Type I readiness · target audit window Q4 2026

## 02 / GDPR & DPDP Act posture

Elofyn is registered in India and ships globally. We are a data controller (GDPR) and data fiduciary (DPDP Act) for everything we collect through elofyn.com and the surfaces we operate. The lawful bases for processing are consent (contact-form messages, analytics) and legitimate interest (server logs and security telemetry), under GDPR Article 6(1)(a) and (f) and DPDP Act sections 6 and 7.

For transfers from the EEA or the UK into India, India is not covered by an EU adequacy decision; we rely on the Standard Contractual Clauses (Commission Decision 2021/914) and the UK IDTA addendum.

Role
Data controller (GDPR) / Data fiduciary (DPDP Act) — Elofyn Solutions Pvt Ltd
Legal bases
GDPR Art. 6(1)(a), (f); DPDP Act ss. 6, 7
International transfer
SCCs (EU 2021/914), UK IDTA addendum

Full data-protection notice → /policies/privacy.

## 03 / Subprocessors

The set of third parties that touch personal data on our behalf. Active rows are in production today; planned rows are scoped for Phase D and will move to Active when we wire them.

Subprocessors used to operate elofyn.com — vendor, purpose, data category, region, and current status.
VendorPurposeData categoryRegionStatus
Google LLCCompute & object storage for elofyn.comServer logs, encrypted databaseus-central1 (Iowa, US)Active
Google LLCAnalytics (GA4) — load-gated by consentPseudonymous event IDsGlobalActive
Cloudflare, Inc.DNS, edge caching, DDoS protectionIP address, request metadataGlobalPlanned · Phase D
Resend, Inc.Transactional + contact-form emailSender/recipient address, message bodyEU/USPlanned · Phase D
Sentry GmbHError + performance telemetryRequest URL, stack trace, masked PIIEU (Frankfurt)Planned · Phase D
Stripe Payments Europe Ltd.Billing for Dev Snippets APIEmail, payment method tokenEU/USPlanned · Phase D
Upstash, Inc.Edge rate-limit state (Redis)IP-derived keys, counts onlyEU (Frankfurt)Planned · Phase D

Material changes to this list are mirrored at /legal/elofyn-subprocessors-v1.json and announced in the journal.

Subscribe to subprocessor changes →

## 04 / Data processing agreement

A draft DPA is available for review before contract signing. The draft tracks GDPR Article 28 minimum clauses (subject, duration, nature and purpose of processing, types of personal data, categories of data subjects, controller obligations) and ships with Elofyn-specific Schedule A (subject-matter), Schedule B (categories), and Schedule C (technical and organisational measures). A counter-signed version is issued by Elofyn legal upon Dev Snippets API enterprise contract.

Download draft DPA · PDF · v1 · 2026-05-31

The PDF cover bears the watermark DRAFT — pending legal review so a buyer cannot claim they received a final version without re-reading the cover.

## 05 / Report a vulnerability

If you have found a security vulnerability in elofyn.com, the Dev Snippets API, or any tool we ship, email security@elofyn.com. We acknowledge new reports within 5 business days and reach a triage decision within 10. Researchers acting in good faith — no service disruption, no data exfiltration beyond a single proof-of-concept record, no privacy violation, and a 90-day private window before public disclosure — will not be pursued legally and will be credited in the journal when a fix ships, if you wish.

We do not yet run a bug-bounty program, so we cannot pay rewards, but we will name and thank you publicly. Coordinated public advisories are filed with the journal, never on social channels first.

Encryption

not required for v1 reports — please submit over TLS and avoid posting PoC payloads past TLS termination.

Acknowledgement window

Initial response
· within 5 business days
Triage decision
· within 10 business days
Fix & disclosure coordination
· case-by-case
Report a vulnerability

## 06 / Encryption, residency, retention

Your input never leaves your browser when you use any /tools/* utility.

Encryption in transit
TLS 1.3 (Caddy + nginx; HSTS preload-eligible, includeSubDomains, max-age 63072000)
Encryption at rest
LUKS-encrypted host volumes; AES-256 at the managed-database tier
Backups
Daily snapshots, 30-day retention, encrypted at rest, geo-restricted to host region
Data residency
Primary region us-central1 (Iowa, US); no cross-region replication
Log retention
Server logs 30 days, contact-form messages 24 months (mirrors /policies/privacy §04)
Account & key rotation
All admin SSH and API root keys rotated ≤ 365 days; rotated immediately on offboarding
Live status page
Live status page · ships with Phase A