Trust Center
Security & Compliance Documentation
Public reference for how Theora operates its production environment — covering software delivery, infrastructure, data handling, and vulnerability management.
Software development
| Customer support site or email alias |
| Product documentation site |
| Public change log or release notes |
|
CI/CD system in use
Theora uses Google Cloud Build triggered on pushes to main to build, push, and deploy the betaapp-api container to Cloud Run in us-central1; auditor evidence is a fresh Cloud Build dashboard screensh…
|
|
Internal communication for system updates
Draft Deployment Communication Procedure for Theora: every Cloud Build prod deploy posts to #deploys (Slack) with commit SHA, env, UTC timestamp, operator, status, and Cloud Build run URL; final Vant…
|
Infrastructure
| Application status page |
|
Intrusion Detection System installation
Cloud IDS does not meaningfully apply to Theora's serverless Cloud Run architecture; compensating controls (VPC Flow Logs, Cloud Logging, Cloud Monitoring, MFA, rate limiting) provide intrusion detec…
|
|
System Description (SOC 2 Section III)
Polished public-facing SOC 2 Section III System Description for Theora, structured to auditor expectations (boundary, components, control objectives by TSC, carve-out subservice orgs with CUECs, peri…
|
Vulnerability management
|
Vulnerability scan
Drafted public Trust Center policy for Theora vulnerability scanning covering minimal Alpine base image, pinned requirements.txt rebuilt every Cloud Build, pre-release pip-audit, Artifact Registry Co…
|
|
Sample of remediated vulnerabilities
Polished public Trust Center evidence for "Sample of remediated vulnerabilities" with a 5-row table of real merged security fixes from main, severity ratings, and git-verifiable references for SOC 2 …
|
Data storage
|
Customer data deletion record
Theora Customer Data Deletion Procedure: automated nightly retention via delete_expired_queries plus a 30-day on-request deletion workflow, with Cloud Logging audit trail.
|
|
Removable media encryption policy
Draft Removable Media Encryption Policy for Theora: production/customer data must not be copied to removable media; company laptops use FullDisk encryption (FileVault/BitLocker); MDM enforcement is a…
|
|
Business continuity & disaster recovery procedure
Polished public-ready BC/DR procedure for Theora's Trust Center and Vanta SOC 2 evidence: RTO 4h / RPO 24h, five named scenarios with detection plus gcloud recovery, post-incident review, and quarter…
|
|
Media / device disposal record
Theora is fully cloud-resident; no physical production media. Endpoint laptop retirement uses Apple Configurator 2 (macOS), BitLocker key destruction + factory reset (Windows), and 'cryptsetup luksEr…
|