Trust Center | Ghostable Trust Center ============== Welcome to Ghostable’s Trust Center. Security and privacy are built into how we operate, not bolted on. Use this page to understand our security posture and reach out if you need supporting documentation. Ghostable is aligning with the [SOC 2 Trust Services Criteria](https://drata.com/glossary/trust-services-criteria) for Security, Availability, and Confidentiality. We are not yet audited or certified. SOC 2 Status ------------ - Type II in progress. - Target coverage period: Q1 2026 (dates TBD). - Auditor selection: in progress. - Policies and control documentation maintained internally. - Evidence collection underway with quarterly cadence. Scope ----- - Systems: Ghostable web app, API, desktop client, CLI, admin dashboard, and core infrastructure services used to operate the platform. - Trust Services Criteria: Security, Availability, Confidentiality. Controls summary ---------------- - Access control with least privilege and periodic access reviews. - Audit logging for sensitive and administrative actions. - Change management with source control and CI checks. - Vulnerability management with dependency monitoring. - Incident response procedures with tabletop exercises. - Vendor management for critical third-party services. Reviewers who want a concern-to-control mapping can use the [security controls matrix](https://docs.ghostable.dev/fundamentals/v2/security-and-operations/security-controls-matrix). Zero-Knowledge Architecture --------------------------- Encryption and decryption happen locally in trusted clients, including the desktop app and CLI. Only ciphertext and non-sensitive metadata are stored. This changes how certain controls are implemented, but not the security objectives they serve. For a deeper walkthrough, see our [zero-knowledge guide](https://ghostable.dev/learn/zero-knowledge-encryption). Release integrity ----------------- Ghostable publishes verifiable release evidence for security review workflows, including checksums, software bill of materials artifacts, and signed build provenance where supported. For desktop releases, we also document code-signing and notarization verification steps so teams can validate what they install. See [supply chain verification](https://docs.ghostable.dev/fundamentals/v2/security-and-operations/supply-chain-verification) for the current verification workflow. External security monitoring ---------------------------- Ghostable supports signed audit webhook delivery so organizations can forward security-relevant events into their own monitoring stack. Delivery health, retries, failure state, and dead-letter status are exposed so teams can validate that security telemetry is flowing as expected. We document integration patterns for Datadog, Splunk, and Elastic in the [SIEM audit webhook templates](https://docs.ghostable.dev/fundamentals/v2/security-and-operations/siem-audit-webhook-templates). Roadmap ------- We plan to complete a SOC 2 Type II audit after the coverage period and will share updates once a report is available. Audit status: No third-party SOC 2 report has been issued. Questions? Contact support at [ support@ghostable.dev ](mailto:support@ghostable.dev).