π verybusy.io β Platform Security & Infrastructure Overview
At verybusy.io, the security and privacy of your teamβs data are top priorities. Below is a comprehensive overview of the platformβs infrastructure, vendor tools, and ongoing compliance measures.
β
π‘οΈ SOC 2 Compliance
verybusy.io is committed to maintaining a strong security and compliance posture aligned with industry-recognized standards.
SOC 2 Type I
VeryBusy has successfully completed a SOC II Type I audit, which validates that our security controls were properly designed and implemented at a specific point in time in accordance with the Trust Services Criteria (Security) developed and governed by the AICPA
βSOC 2 Type II (In Progress)
We are currently in an active SOC II Type II observation audit, which evaluates the ongoing operating effectiveness of these controls over an extended period. This process demonstrates our continued commitment to consistent, real-world adherence to security best practices.
βAudit & Compliance Partners
Our SOC 2 program is managed in partnership with Drata and independently audited by Sensiba, a nationally recognized CPA firm specializing in security and compliance audits.
βEnterprise Assurance
For enterprise customers, documentation such as an Attestation Status Confirmation and relevant SOC reports can be made available upon request, subject to standard NDA requirements.
This ongoing compliance effort supports our broader mission to provide a secure, reliable platform for managing high-value creative and production workflows.
β
𧱠Enterprise-Grade Account Security
We protect user access with layered authentication protocols:
All users must create a password-protected profile and verify their email before accessing any project.
Two-Factor Authentication (2FA) is available in user settings.
Single Sign-On (SSO) is supported via Google and Microsoft.
Enterprise clients can also enable SAML-based SSO with SCIM provisioning for centralized authentication and automated user management.
βοΈ Cloud Infrastructure & Data Protection
verybusy.io is hosted on Amazon Web Services (AWS), leveraging its secure and scalable cloud platform. We utilize a wide range of AWS services to ensure security and operational resilience. Additionally, we integrate third-party tools like New Relic to extend observability and application performance monitoring across our stack:
β
π Security & Compliance
AWS WAF β Web Application Firewall
AWS Shield β DDoS protection
AWS GuardDuty β Threat detection
AWS Inspector β Automated vulnerability management
AWS Secrets Manager β Credential and token storage
AWS KMS (Key Management Service) β Key control and policy management
IAM & IAM Access Analyzer β Access control and policy validation
CloudTrail β Activity logging and auditing
π Monitoring & Observability
CloudWatch & CloudWatch Events β Metrics, logs, and system-level monitoring
SNS (Simple Notification Service) β Real-time alerts and notifications
New Relic β Full-stack application performance monitoring and anomaly detection
π οΈ Core Infrastructure
EC2 (Instances & Other) β Compute resources
VPC β Isolated networking and routing
Elastic Load Balancing (ELB) β High-availability traffic management
ECR & ECS β Container registry and orchestration
Lambda β Event-based serverless execution
Route 53 β Global DNS resolution
CloudFront β Content delivery and caching
SES (Simple Email Service) β Email notifications
CloudShell β Secure CLI management
πΎ Storage & Data Management
Amazon S3 β Secure object storage
RDS β Managed relational databases
DynamoDB β High-speed NoSQL data layer
ElastiCache β Memory caching
Glacier β Long-term archival storage
βοΈ Automation & DevOps
CloudFormation β Infrastructure as code
Service Catalog β Pre-approved deployment configurations
Kinesis Firehose β Log streaming and delivery pipelines
β
π Third-Party Vendors
π¨ We notify all VeryBusy.io users by email whenever we add, remove, or materially change a third party vendor that processes their data.
Amazon Web Services (Cloud Infrastructure)
We use Amazon Web Services (AWS) to host core application services, including compute, storage, databases, networking, and security controls. Data is encrypted at rest and in transit. Access is restricted through IAM with least privilege and MFA, and services are deployed across AWS regions for availability and resilience.
π AWS Security and Compliance Center
π AWS SOC Reports via AWS Artifact
π AWS Shared Responsibility Model
β
GitHub (Code Management)
We use GitHub as our source control and code collaboration platform. GitHub helps us manage versioning, peer reviews, CI/CD workflows, and integrates securely with our deployment pipeline.
β
Imgix (Image Processing and CDN)
We use Imgix as a content delivery network (CDN) for real-time image processing and secure global delivery. Their security and compliance posture is detailed here:
π Imgix Security & Compliance
Intercom (User Communication)
For customer support, onboarding, and in-app messaging, we use Intercom. Intercomβs infrastructure is compliant with major standards and certifications:
π Intercom Trust Center
β
New Relic (Performance Monitoring)
We use New Relic to monitor application performance and availability across the stack. It provides real-time observability, alerting, and error tracking to ensure a smooth user experience.
Stripe (Payments and Billing)
We use Stripe to process payments and manage subscriptions. Card data is sent directly to Stripe and never stored on VeryBusy systems. Stripe is PCI DSS Level 1 compliant. Webhooks are verified and access is restricted by least privilege.
π Stripe Security
π Stripe Compliance and PCI
π Stripe Privacy Center
β
π‘οΈ Network & Database Access Controls
Access to our production database is strictly limited to IPs within our VPC.
External access (including internal team members) is denied by default unless explicitly granted for maintenance or support needs.
β
ποΈ Content Privacy & File Management
Files are stored on Amazon S3 and served via time-limited, signed URLs.
We also use secure URLs through Imgix and other trusted infrastructure where needed.
Assets remain available until deleted by the user or workspace owner.
Trial user content is purged after 90 days of inactivity.
We never access, use, or share your content without explicit consent.
β
π³ Payment & Billing Security
All billing is handled through Stripe, a PCI DSS Level 1 certified provider.
Stripe uses secure tokenization and fraud prevention measures to protect all payment data.
β
π₯ Security Questionnaires
If you are an enterprise customer and need to complete a security questionnaire, please contact your account representative.
β
β