01
Data at rest
AES-256 encryption on every database, every backup, every storage tier. Customer-managed keys (CMK) on Fleet via AWS KMS or Azure Key Vault. Backups retained 30 days hot, 365 days cold.
FORM 0007 · security · compliance certificateFieldOps Pro · v8.46 controls · audited
Security posture,
on the record.
What FieldOps Pro does to keep customer data, payments, and dispatcher access secure — written for the IT person your customer has on the call. SOC 2, PCI, ISO, GDPR. Reports under MNDA.
⚐ Certifications · current
SOC 2 Type II
Audited 2024 + 2025 · A-LIGN
Available under MNDA
PCI DSS Level 1
Re-attested annually · Trustwave
Card data tokenized · we never see PAN
ISO 27001:2022
Certified 2025 · Schellman
Information security management
GDPR + CCPA
DPA on request
EU and US data residency available on Fleet
Six controls ↓
How the platform is actually defended.
02
Data in transit
TLS 1.3 only. We deprecated TLS 1.2 in March 2025. Mobile app and dispatcher console certificate-pin to our API. Internal service-to-service traffic uses mTLS.
03
Access control
Role-based access control (RBAC) per user; SAML SSO on Pro and Fleet plans (Okta, Azure AD, Google Workspace). SCIM provisioning. Mandatory 2FA for owner + dispatcher roles.
04
Audit log
Every API call, every user action, every record change is logged with actor, timestamp, IP, and outcome. Retention 90 days hot, 7 years cold. Streamed to your SIEM via webhook on Fleet.
05
Vulnerability mgmt
Pen-test by an external firm twice per year. Continuous SCA on every dependency, automated patching for critical CVEs within 24 hours. Public security@ inbox for responsible disclosure.
06
Incident response
Documented IR runbook, tabletop exercises quarterly. Customer notification within 72 hours per GDPR Art. 33; in practice, we contact affected customers same-day. Status page at status.fieldops.app.
Subprocessors · current ↓
Everyone we share data with, listed.
Subprocessor changes are notified by email 30 days before they go into effect. Customers can object and we'll work with you on a path. Last updated 2026-04-22.
Provider
Region
Purpose
Amazon Web Services
us-east-1, us-west-2, eu-west-1, ap-southeast-2
Compute, database, storage
Stripe
Global
Payment processing (PCI scope)
Twilio
Global
SMS + voice transport
Datadog
us-east-1
Application monitoring
Cloudflare
Global edge
DDoS protection + WAF
Okta
us-east-1
SSO infrastructure (optional)
System status · live
All systems operational
status.fieldops.app · last incident 18d ago
99.99%
Dispatcher API
99.97%
Mobile sync
99.99%
Payments
99.96%
SMS gateway
99.98%
Reporting
99.95%
Webhook delivery
Form 0007 · file under: compliance
Need the SOC 2
report?
Send us the MNDA from your standard procurement workflow; we counter-sign and send the report inside one business day. ISO 27001 and PCI letters available on request.
