> ## Documentation Index
> Fetch the complete documentation index at: https://docs.neoflo.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance Certifications: SOC 2, ISO 27001, GDPR, and CCPA

> Neoflo holds SOC 2 Type II and ISO 27001 certifications and complies with GDPR and CCPA — keeping your data protected and audit-ready.

Neoflo maintains a rigorous set of industry-standard certifications and compliance frameworks so that enterprise customers can place data in our hands with confidence. Every certification we hold is independently verified, regularly renewed, and available for review by your security and legal teams. Whether you need to satisfy your own internal audit requirements or demonstrate compliance to regulators, Neoflo's certifications are designed to support you.

## Certifications and Compliance Frameworks

<CardGroup cols={2}>
  <Card title="SOC 2 Type II" icon="shield-check">
    Neoflo is SOC 2 Type II certified across the security, availability, and confidentiality trust service criteria. Our controls are audited annually by an independent, accredited third-party auditor. The Type II designation confirms that our controls were not just designed correctly — they operated effectively over the full audit period.
  </Card>

  <Card title="ISO 27001" icon="certificate">
    Neoflo is certified to ISO 27001, the international standard for information security management systems (ISMS). Our certification covers risk assessment and treatment, security control implementation, and a structured programme of continuous improvement — ensuring our security posture evolves alongside emerging threats.
  </Card>

  <Card title="GDPR" icon="globe">
    Neoflo complies with the EU General Data Protection Regulation. We provide Data Processing Agreements (DPAs) to document our obligations as a data processor, support data subject rights (access, erasure, portability), and offer EU data residency options so your personal data stays within the region you specify.
  </Card>

  <Card title="CCPA" icon="user-shield">
    Neoflo complies with the California Consumer Privacy Act. We operate as a service provider — not a data broker — and do not sell consumer personal information under any circumstances. We support your obligations to respond to consumer rights requests for access, deletion, and opt-out.
  </Card>

  <Card title="256-bit Encryption" icon="lock">
    All data stored on Neoflo infrastructure is encrypted using AES-256. All data in transit — including ERP connections, API calls, and file transfers — is encrypted using TLS 1.2 or higher. There are no unencrypted data paths anywhere in the platform.
  </Card>

  <Card title="VPC / SaaS Deployment" icon="server">
    Neoflo offers flexible deployment to meet your data residency requirements. Choose our SOC 2 compliant managed cloud, or deploy within your own AWS, GCP, or Azure VPC for single-tenant, dedicated infrastructure where your data never leaves your environment.
  </Card>
</CardGroup>

## Requesting Compliance Documentation

Your security and legal teams can request the following compliance documents directly from Neoflo:

* **SOC 2 Type II report**: Full report from our most recent annual audit, covering security, availability, and confidentiality controls
* **ISO 27001 certificate**: Current certificate confirming our ISMS meets the requirements of ISO 27001
* **Data Processing Agreement (DPA)**: Standard or custom DPA for GDPR compliance, documenting how Neoflo processes personal data on your behalf

To request any of these documents, contact us at [hello@neoflo.ai](mailto:hello@neoflo.ai). Our team will respond promptly and can accommodate custom NDA or legal review processes.

<Note>
  Compliance reports and certifications are made available under NDA for enterprise customers. If you have existing confidentiality agreements in place with Neoflo, those may already cover the exchange of compliance documentation — check with your account team.
</Note>

## Continuous Compliance

Certifications are not a one-time achievement — they require sustained effort to maintain. Neoflo's security programme includes:

* **Annual penetration testing**: Independent security firms conduct penetration tests against Neoflo's infrastructure and application layer on an annual basis, with critical findings addressed on an accelerated remediation timeline.
* **Regular internal and external audits**: In addition to certification audits, Neoflo conducts internal security reviews throughout the year to identify and address gaps before they become vulnerabilities.
* **Continuous security monitoring**: Neoflo's infrastructure is monitored around the clock for anomalous activity, intrusion attempts, and policy violations. Alerts are triaged by our security team in real time.
* **Vendor and supply chain reviews**: Third-party vendors with access to Neoflo systems are assessed against our security requirements before onboarding and reviewed on an ongoing basis.

<Tip>
  If you are a procurement or security team evaluating Neoflo, we are happy to complete your vendor security questionnaire. Reach out to [hello@neoflo.ai](mailto:hello@neoflo.ai) and we will assign a security contact to work with you directly.
</Tip>
