LiyaSupport
Security

SOC 2 & compliance

LiyaSupport's security certifications, compliance posture, and how to request audit reports.

5 min read Updated July 2026

LiyaSupport is committed to operating a secure, trustworthy platform. This page covers our current certifications, the security controls in scope, and how enterprise customers can access audit documentation for their own compliance programmes.

Certifications

CertificationTypeAuditorScope
SOC 2 Type IIAICPA Trust ServicesIndependent third-party CPA firmSecurity, Availability, Confidentiality TSC
ISO 27001ISMS certificationAccredited certification bodyInformation Security Management System
GDPRRegulatory complianceSelf-attested + DPAEU/EEA and UK data processing
CSA STAR Level 1Cloud security registrySelf-attested (CSA Consensus Assessment)Cloud infrastructure controls
SOC 2 Type II and ISO 27001 reports are available under NDA to customers on the Scale or Enterprise plan. Contact [email protected] to request access.

SOC 2 Trust Services Criteria covered

Security (CC series) — the mandatory criteria covering:

  • Logical access controls (MFA, RBAC, least privilege, session management)
  • Change management (code review, CI/CD pipeline controls, deployment gates)
  • Risk assessment and monitoring (vulnerability scanning, penetration testing)
  • Incident response (detection, escalation, containment, post-mortems)
  • Vendor management (sub-processor assessments, contractual controls)

Availability (A series) — covering:

  • SLA commitments and uptime monitoring
  • Disaster recovery (RTO < 4 hours, RPO < 1 hour)
  • Infrastructure redundancy (multi-AZ deployments, automated failover)

Confidentiality (C series) — covering:

  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Data classification and handling procedures
  • Disposal and destruction of data at end of subscription

Key security controls

Control areaImplementation
Encryption at restAES-256 for databases and object storage; keys managed in AWS KMS with annual rotation
Encryption in transitTLS 1.2 minimum, TLS 1.3 preferred; HSTS enforced; PFS enabled
Access controlRBAC, MFA enforced for admin accounts, SSO/SAML supported (Enterprise), session timeout configurable
Penetration testingAnnual third-party pen test + continuous automated scanning; CVEs remediated within SLA
Vulnerability managementWeekly dependency scanning (Snyk + GitHub Dependabot); critical CVEs patched within 7 days
Incident response24/7 on-call engineering; P1 response SLA &lt; 30 minutes; status page at status.liyasupport.com
Background checksAll employees undergo background screening prior to accessing production systems
Endpoint securityMDM enforced on all company devices, disk encryption required, EDR deployed
Logging and monitoringCentralised logging (Datadog), anomaly detection alerts, audit log retention per plan
Data deletion30-day grace period after cancellation, then hard delete within 90 days; export available

Penetration testing

LiyaSupport undergoes an annual third-party penetration test conducted by an independent CREST-accredited firm. Test scope covers the web application, APIs, and internal network boundaries. Executive summaries of pen test findings and remediation status are available to Enterprise customers under NDA.

Bug bounty programme

We operate a private bug bounty programme via HackerOne. Qualifying researchers who responsibly disclose security vulnerabilities receive acknowledgement and rewards based on severity. To request an invitation, email [email protected] with a brief background on your security research experience.

GDPR compliance

For customers processing personal data of EU or UK residents, Liya acts as a data processor and you are the data controller. We provide:

  • A standard Data Processing Addendum (DPA) for all paid plans
  • Sub-processor list with 30-day advance notice of changes
  • Data Subject Access Request (DSAR) handling tooling available in Settings
  • Right to erasure: individual contact deletion with cascade to conversations
  • EU Standard Contractual Clauses (SCCs) on request
To sign the DPA, go to Settings → Security → Compliance → Sign DPA. An executed copy will be emailed to your account owner. For custom DPA terms, contact your account manager (Enterprise only).

Requesting compliance documentation

DocumentHow to requestAvailable to
SOC 2 Type II reportEmail [email protected]Scale + Enterprise (NDA required)
ISO 27001 certificateEmail [email protected]All paid plans
Penetration test summaryEmail [email protected]Enterprise (NDA required)
Data Processing AddendumSettings → Security → Compliance → Sign DPAAll paid plans (self-serve)
Sub-processor listSettings → Security → Compliance → Sub-processorsAll paid plans (self-serve)
GDPR SCCsEmail [email protected]All paid plans
Vendor security questionnaireEmail [email protected] with questionnaireAll paid plans