Rubberfit runs the technical controls a SOC 2 auditor would expect — RLS at the database, six-role RBAC enforced twice, audit log with before/after JSONB snapshots, signed-URL document sharing, encryption at rest. We are not SOC 2 certified yet; the full unvarnished posture and roadmap live in the docs.
The technical controls, the gaps, and the SOC 2 roadmap each get their own page in the docs site — including the parts that don't pass a security questionnaire today.
Postgres RLS policies on every customer-facing table. No app-layer bypass.
Middleware + RLS policies. Either layer alone is sufficient.
Before/after JSONB snapshots, IP, user agent. Field-level changes captured.
Customer PDFs share via signed URLs, not public-by-default access.
The full security posture, the SOC 2 roadmap, and the data-handling specifics — including what is not yet shipped — live on the docs site so a security questionnaire can paste a single URL into the response field.
Got a questionnaire? Email security@rubberfit.app
Per-seat pricing. 14-day free trial, no credit card. Run real cuts against your own stock — if it doesn't pay for itself the first week, walk.
See pricing