SOC 2
Also known as: SOC2 · Service Organization Control 2
Service Organisation Control 2 (SOC 2) is an AICPA audit framework covering five Trust Service Criteria — Security (mandatory), Availability, Processing Integrity, Confidentiality, Privacy. A SOC 2 Type 1 report attests that controls are designed correctly at a point in time; Type 2 attests they have operated effectively over a 6–12 month window. TantraDev is on track for Type 1 in Q3 2026.
Concepts that travel with this one.
Architecture rarely lives in isolation — these are the terms that come up in the same conversation.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is the security standard every entity that stores, processes, or transmits cardholder data has to meet. The current spec is PCI DSS v4.0. The architectural lever is scope reduction: any service that does not touch a PAN can be carved out of audit, and a tokenisation vault is the standard mechanism for shrinking scope from 'whole platform' to a contained set of services.
GDPR
The General Data Protection Regulation (GDPR) is the European Union's data-protection law. The architectural levers it imposes are consent capture, data minimisation, the right to erasure, breach notification within 72 hours, and Data Protection Impact Assessments for high-risk processing. For TantraDev's clients serving EU users, GDPR shapes data residency, processor-controller contracts (DPAs), and the audit-logging granularity around personal data.
ISO 27001
ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). Where SOC 2 is a US audit framework, ISO 27001 is a global certification that enterprise procurement teams — particularly outside the US — treat as the baseline security signal. The standard mandates a risk-based control selection from Annex A and a documented management system that is reviewed continuously.
Building a system where SOC 2 is the load-bearing decision?
30 minutes on the phone, one page in your inbox — what to build, what to skip, what it will cost. You keep the audit even if we are not the right fit.