SOC 2 & compliance
LiyaSupport's security certifications, compliance posture, and how to request audit reports.
LiyaSupport is committed to operating a secure, trustworthy platform. This page covers our current certifications, the security controls in scope, and how enterprise customers can access audit documentation for their own compliance programmes.
Certifications
| Certification | Type | Auditor | Scope |
|---|---|---|---|
| SOC 2 Type II | AICPA Trust Services | Independent third-party CPA firm | Security, Availability, Confidentiality TSC |
| ISO 27001 | ISMS certification | Accredited certification body | Information Security Management System |
| GDPR | Regulatory compliance | Self-attested + DPA | EU/EEA and UK data processing |
| CSA STAR Level 1 | Cloud security registry | Self-attested (CSA Consensus Assessment) | Cloud infrastructure controls |
SOC 2 Trust Services Criteria covered
Security (CC series) — the mandatory criteria covering:
- Logical access controls (MFA, RBAC, least privilege, session management)
- Change management (code review, CI/CD pipeline controls, deployment gates)
- Risk assessment and monitoring (vulnerability scanning, penetration testing)
- Incident response (detection, escalation, containment, post-mortems)
- Vendor management (sub-processor assessments, contractual controls)
Availability (A series) — covering:
- SLA commitments and uptime monitoring
- Disaster recovery (RTO < 4 hours, RPO < 1 hour)
- Infrastructure redundancy (multi-AZ deployments, automated failover)
Confidentiality (C series) — covering:
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
- Data classification and handling procedures
- Disposal and destruction of data at end of subscription
Key security controls
| Control area | Implementation |
|---|---|
| Encryption at rest | AES-256 for databases and object storage; keys managed in AWS KMS with annual rotation |
| Encryption in transit | TLS 1.2 minimum, TLS 1.3 preferred; HSTS enforced; PFS enabled |
| Access control | RBAC, MFA enforced for admin accounts, SSO/SAML supported (Enterprise), session timeout configurable |
| Penetration testing | Annual third-party pen test + continuous automated scanning; CVEs remediated within SLA |
| Vulnerability management | Weekly dependency scanning (Snyk + GitHub Dependabot); critical CVEs patched within 7 days |
| Incident response | 24/7 on-call engineering; P1 response SLA < 30 minutes; status page at status.liyasupport.com |
| Background checks | All employees undergo background screening prior to accessing production systems |
| Endpoint security | MDM enforced on all company devices, disk encryption required, EDR deployed |
| Logging and monitoring | Centralised logging (Datadog), anomaly detection alerts, audit log retention per plan |
| Data deletion | 30-day grace period after cancellation, then hard delete within 90 days; export available |
Penetration testing
LiyaSupport undergoes an annual third-party penetration test conducted by an independent CREST-accredited firm. Test scope covers the web application, APIs, and internal network boundaries. Executive summaries of pen test findings and remediation status are available to Enterprise customers under NDA.
Bug bounty programme
We operate a private bug bounty programme via HackerOne. Qualifying researchers who responsibly disclose security vulnerabilities receive acknowledgement and rewards based on severity. To request an invitation, email [email protected] with a brief background on your security research experience.
GDPR compliance
For customers processing personal data of EU or UK residents, Liya acts as a data processor and you are the data controller. We provide:
- A standard Data Processing Addendum (DPA) for all paid plans
- Sub-processor list with 30-day advance notice of changes
- Data Subject Access Request (DSAR) handling tooling available in Settings
- Right to erasure: individual contact deletion with cascade to conversations
- EU Standard Contractual Clauses (SCCs) on request
Requesting compliance documentation
| Document | How to request | Available to |
|---|---|---|
| SOC 2 Type II report | Email [email protected] | Scale + Enterprise (NDA required) |
| ISO 27001 certificate | Email [email protected] | All paid plans |
| Penetration test summary | Email [email protected] | Enterprise (NDA required) |
| Data Processing Addendum | Settings → Security → Compliance → Sign DPA | All paid plans (self-serve) |
| Sub-processor list | Settings → Security → Compliance → Sub-processors | All paid plans (self-serve) |
| GDPR SCCs | Email [email protected] | All paid plans |
| Vendor security questionnaire | Email [email protected] with questionnaire | All paid plans |