Trust Center

Security & Compliance Documentation

Public reference for how Theora operates its production environment — covering software delivery, infrastructure, data handling, and vulnerability management.

Software development

Customer support site or email alias
Product documentation site
Public change log or release notes
CI/CD system in use
Theora uses Google Cloud Build triggered on pushes to main to build, push, and deploy the betaapp-api container to Cloud Run in us-central1; auditor evidence is a fresh Cloud Build dashboard screensh…
Internal communication for system updates
Draft Deployment Communication Procedure for Theora: every Cloud Build prod deploy posts to #deploys (Slack) with commit SHA, env, UTC timestamp, operator, status, and Cloud Build run URL; final Vant…

Infrastructure

Application status page
Intrusion Detection System installation
Cloud IDS does not meaningfully apply to Theora's serverless Cloud Run architecture; compensating controls (VPC Flow Logs, Cloud Logging, Cloud Monitoring, MFA, rate limiting) provide intrusion detec…
System Description (SOC 2 Section III)
Polished public-facing SOC 2 Section III System Description for Theora, structured to auditor expectations (boundary, components, control objectives by TSC, carve-out subservice orgs with CUECs, peri…

Vulnerability management

Vulnerability scan
Drafted public Trust Center policy for Theora vulnerability scanning covering minimal Alpine base image, pinned requirements.txt rebuilt every Cloud Build, pre-release pip-audit, Artifact Registry Co…
Sample of remediated vulnerabilities
Polished public Trust Center evidence for "Sample of remediated vulnerabilities" with a 5-row table of real merged security fixes from main, severity ratings, and git-verifiable references for SOC 2 …

Data storage

Customer data deletion record
Theora Customer Data Deletion Procedure: automated nightly retention via delete_expired_queries plus a 30-day on-request deletion workflow, with Cloud Logging audit trail.
Removable media encryption policy
Draft Removable Media Encryption Policy for Theora: production/customer data must not be copied to removable media; company laptops use FullDisk encryption (FileVault/BitLocker); MDM enforcement is a…
Business continuity & disaster recovery procedure
Polished public-ready BC/DR procedure for Theora's Trust Center and Vanta SOC 2 evidence: RTO 4h / RPO 24h, five named scenarios with detection plus gcloud recovery, post-incident review, and quarter…
Media / device disposal record
Theora is fully cloud-resident; no physical production media. Endpoint laptop retirement uses Apple Configurator 2 (macOS), BitLocker key destruction + factory reset (Windows), and 'cryptsetup luksEr…