soc2zip Privacy Policy
This Privacy Policy covers the soc2zip product specifically: the intake form, payment flow, document preparation, and package delivery by email. It is in addition to, not in place of, the SOC2Auditors.org Privacy Policy, which covers the directory and quote-request features.
If anything in this policy and the directory privacy policy conflict for soc2zip-specific data, this policy wins for soc2zip data.
TL;DR
- We collect: your email, your company info, your form answers, any supporting documents you choose to email us, payment details (via Stripe; we never see card numbers), and basic technical info (IP, user agent, timestamps).
- We use: contracted service providers for document processing, payment, database storage, hosting, and email delivery.
- We share: with the subprocessors above, and with auditors only if you explicitly opt in. We do not sell your data.
- You can: download, correct, or delete your data at any time. Email hello@soc2auditors.org.
- Retention: any supporting documents you email us are deleted 30 days after we deliver your package; form answers retained 12 months, then anonymized; transaction records as long as legally required. See section 8 (Retention and deletion) below for specifics.
1. What we collect
1.1 You give us
- Identity and contact: name, work email, company name, role
- Company shape: headcount, industry, funding stage, location
- Form answers: your responses to the intake topics covering your stack, security posture, deadlines, budget, and current state
- Supporting documents (optional): if you choose to email us an org chart, vendor list, architecture sketch, or other documents to improve your package, we’ll use them for generation only. We encourage you to redact personal names before sending.
- Payment info: processed by Stripe. We receive a transaction record (amount, last 4 digits of card, card brand, billing ZIP). We do not see, store, or have access to your full card number.
1.2 We collect automatically
- IP address, user-agent string, browser language
- Timestamps for form-start, form-complete, payment, package-delivered
- Pages viewed (basic analytics, no cross-site tracking)
- Cookies used to maintain your form session
We do not use third-party advertising trackers on the soc2zip pages.
1.3 We do not collect
- Government IDs, SSNs, biometric data
- Personal information about your customers, employees, or vendors beyond what you choose to include in your form answers or email us (we encourage you to redact employee names from org charts before sending)
- Health information, financial account numbers, or any data that would invoke HIPAA, GLBA, or similar specialized regimes
If your business handles such data and you email us documents containing it, please redact first. We have no controls in place that would meet HIPAA’s PHI requirements.
2. How we use what we collect
We use your data to:
- Prepare your package. Form answers and any supporting documents you email us pass through our document-processing workflow to produce your draft policies, evidence index, CAIQ Lite, and auditor introductions.
- Deliver your package. Email your package to you as an attachment or a secure download link.
- Provide support. Respond to questions, fix issues, process refunds.
- Match auditors. The matcher returns three auditor candidates inside your package. Your identity is not shared with those firms unless you explicitly opt in by contacting them directly.
- Improve our templates and quality checks. We hash and de-identify submissions for our regression-test set (see section 8 below). We do not use your inputs to train third-party models.
- Bill you and pay our taxes. Standard accounting use.
- Detect fraud and abuse. IP and user-agent help us spot duplicate submissions, payment fraud, scraping.
- Communicate. Transactional emails (delivery, refund, support): always. Marketing emails: only if you opted in at checkout, and you can unsubscribe any time.
Legal bases (GDPR). Where the GDPR applies, we rely on: performance of our contract with you (Art. 6(1)(b)) to prepare and deliver your package and provide support; our legitimate interests (Art. 6(1)(f)) in preventing fraud and maintaining our de-identified quality-regression set; and your consent (Art. 6(1)(a)) for marketing email, which you may withdraw at any time.
3. Automated processing
We use automated document-processing tools, including generative AI, to turn your inputs into a draft package for human review.
- Your form answers and any supporting document contents may be sent to a contracted processing provider solely to prepare your package.
- We use business-grade provider terms that restrict use of API inputs and do not permit your inputs to be used to train public models.
- A human reviews the package before delivery, but you remain responsible for confirming every statement against your actual controls.
- Our regression-test set uses hashed, de-identified versions only.
If you do not want your inputs processed by a contracted generative-AI provider, do not purchase soc2zip.
4. Sharing: who sees what
4.1 Subprocessors
We use the following service providers, who see the data described:
| Provider | Purpose | What they see |
|---|---|---|
| Document-processing provider | Draft preparation | Form answers and supporting document contents while preparing your package |
| Stripe | Payment processing | Email, name, billing address, card data |
| Neon | Database | Form answers, customer records (encrypted at rest) |
| Plunk | Transactional email | Email address, send timestamps, your customer record |
| Cloudflare Pages / Workers | Hosting | Request metadata (IP, user-agent), routed data |
4.2 Auditors
The auditor-introduction emails in your package include three matched firms. We do not share your identity with those firms unless and until you reply to the email or otherwise contact them. The matcher runs entirely on your form answers; the firms learn about you only when you choose to reach out.
If you opt in to a directory-side quote request through SOC2Auditors.org’s main flow, that flow’s privacy policy applies to that submission.
4.3 Legal compulsion, fraud, sale of business
We may share your data:
- When required by valid legal process (subpoena, court order)
- To protect our rights, prevent fraud, or address security threats
- In connection with a merger, acquisition, or sale of substantially all our assets: we’ll notify you by email at least 30 days before the transfer and let you delete your data first
4.4 We do not sell your data
Period. No “first-party data deal” exception. No “anonymized data marketplace” exception.
5. Your rights
You can ask us to:
- Access: get a copy of the data we hold about you (form answers, payment records).
- Correct: fix any inaccuracy.
- Delete: see section 8 (Retention and deletion) below for the mechanics. Note that we keep transaction records for tax and accounting reasons.
- Port: get your data in a machine-readable format (JSON for form answers).
- Object / restrict processing: for marketing email, unsubscribe directly. For other processing, email us and we will discuss.
- Withdraw consent: for marketing email and any other processing based on consent.
If you are in the EU, UK, or California, additional rights under GDPR, UK GDPR, or CCPA apply. We honor those rights for all customers, regardless of location, because the cleanest way to comply is to behave the same way for everyone.
To exercise any of these: email hello@soc2auditors.org from the email address you used at checkout. We respond within 30 days; usually within 5 business days.
If you are unhappy with our response, you have the right to complain to a data-protection authority. Our lead supervisory authority is the Polish DPA (UODO, Urząd Ochrony Danych Osobowych); you may also complain to your local authority.
6. International transfers
soc2zip is operated by Motivato Sp. z o.o., established in Poland (EU). Some of our subprocessors — including Stripe, our document-processing provider, and parts of our hosting — are located in the United States. When we transfer your data to them, we rely on the EU-US Data Privacy Framework where the provider is certified, and on Standard Contractual Clauses (SCCs) otherwise.
7. Security
- All data is stored encrypted at rest (AES-256 or equivalent) and in transit (TLS 1.2+).
- Access to production databases is restricted to the founder and named contractors, with MFA.
- We will not claim SOC 2 attestation until a licensed CPA firm has completed that engagement on our behalf.
If we discover a security incident affecting your data, we will notify you by email without undue delay and at minimum within 72 hours of confirming the incident, with the information we have at that point and updates as we learn more. Notification will go to the email address you used at checkout.
8. Retention and deletion
We split your data into three buckets, each with its own retention rule.
| Bucket | Examples | Retention |
|---|---|---|
| Supporting documents (if you email them to us) | Org chart, vendor list, architecture sketch | Deleted 30 days after package delivery |
| Form answers | Your intake responses | Kept 12 months after delivery, then anonymized (email and company name removed; question-level patterns retained for quality improvement) |
| Your package copy | The archive we delivered to you | We do not retain a permanent copy — keep your own. We can attempt re-generation from saved form answers within 12 months, but cannot guarantee byte-identical re-delivery. |
Early or full deletion
Email hello@soc2auditors.org from the address you used at checkout and we will delete your supporting documents and form answers within 7 days, and your email and company from our customer database within 30 days. We keep refund and Stripe records longer where tax and accounting law requires. We confirm each step by email.
What we keep regardless
We retain the following because we need them for tax, accounting, fraud prevention, or legal defense:
- Stripe transaction records (payment ID, amount, date, last 4 digits of card)
- Invoice and refund history
- A hash of your submission, separated from any identifying data, kept for 24 months as part of our quality-regression set (not reversible to your content)
Deletion limits
- We cannot delete copies you already sent to your auditor or customer through soc2zip-generated emails; those are out of our control once sent.
- Backup snapshots are purged on rotation (within 7 days for database backups). Deletion is immediate at the live-data layer and completes at the backup layer on rotation.
9. Children
soc2zip is a B2B product for businesses. We do not knowingly collect data from anyone under 18.
10. Changes
We may update this Privacy Policy. The version that applies to your purchase is the one in effect on the date you paid. Material changes (new subprocessor that holds your data, change to retention period, change to data-sharing) will be emailed to active customers at least 30 days before they take effect.
11. Contact
- Privacy questions / data requests: hello@soc2auditors.org
- Data controller / operating entity: soc2.zip, a service operated by Motivato Sp. z o.o., a Polish limited liability company with its registered office at ul. Nowogrodzka 31, 00-511 Warszawa, Poland (KRS 0000528892, NIP 7010438730)
Last updated: 2026-06-19. Version 1.0.0.