Compliance

Compliance built into every layer

TerraBog Analytics is designed to meet the compliance requirements of regulated industries and enterprise procurement teams. From SOC 2 Type II certification to GDPR, CCPA, and PIPEDA compliance, our security and data protection controls are built into the platform from the ground up.

View Security page Download compliance kit

Certifications & Frameworks

Our compliance posture

TerraBog actively maintains certifications and compliance across major enterprise frameworks.

Certified

SOC 2 Type II

Trust Services Criteria

Annual audit by an independent CPA firm covering Security, Availability, Confidentiality, Processing Integrity, and Privacy trust service criteria. Full report available to Enterprise customers under mutual NDA.

Last audit

Q4 2025

Next review

Q4 2026

Compliant

GDPR

EU General Data Protection Regulation

Full compliance with GDPR for processing personal data of EEA data subjects. Standard Contractual Clauses (SCCs) and EU-U.S. Data Privacy Framework available for international transfers. Data Protection Officer appointed. Article 30 records of processing maintained.

Last audit

Ongoing

Next review

Continuous

Q2 2026

ISO 27001

Information Security Management

TerraBog's information security management system is aligned with ISO 27001 requirements. Certification audit is in progress with an expected completion date of Q2 2026.

Last audit

Gap assessment Q1 2026

Next review

Certification Q2 2026

Compliant

CCPA / CPRA

California Consumer Privacy Act

Full compliance with CCPA and CPRA requirements for California residents. TerraBog does not sell personal information. Data subject request workflows are available to all customers through account settings and via privacy@terrabog.com.

Last audit

Ongoing

Next review

Continuous

Compliant

PIPEDA

Canadian Personal Information Protection

Compliance with PIPEDA for processing personal information of Canadian residents. Data enrichment from Statistics Canada uses only publicly available aggregate data. Cross-border transfer protections in place per DPA.

Last audit

Ongoing

Next review

Continuous

SAQ-A

PCI DSS

Payment Card Industry Data Security Standard

TerraBog does not store, process, or transmit cardholder data on its own systems. Payment processing is handled exclusively by Stripe (PCI DSS Level 1 certified). Our automated PII detection identifies and masks credit card numbers in uploaded datasets via Luhn algorithm validation. SAQ-A applicable.

Last audit

Annual

Next review

Q1 2027

Security controls

Technical and organizational measures

The controls TerraBog maintains across encryption, access, monitoring, and data governance -- aligned to our actual platform architecture.

Encryption

AES-256 at rest (Google-managed keys)

TLS 1.2+ in transit (all endpoints)

CMEK available for Enterprise

Encrypted backups (Cloud SQL, GCS)

Access Control

Role-based access control (RBAC)

MFA enforcement (TOTP)

Enterprise SSO (Azure AD, Okta)

SCIM 2.0 user provisioning

Monitoring & Detection

Automated PII detection and masking

Data quality drift detection

Pipeline failure alerting

Security event monitoring

Audit & Logging

Append-only audit logs

12-month default retention (7yr Enterprise)

Request ID tracing on all API calls

Tamper-evident log records

Data Isolation

Tenant ID row-level security

Per-tenant BigQuery partitioning

Isolated GCS storage paths

IP allowlist enforcement (Enterprise)

Infrastructure

Google Cloud Platform (us-central1)

Cloud Run serverless containers

Terraform-managed IaC

VPC with private egress

Data pipeline security

Built-in data protection at every stage

Every step of the TerraBog data pipeline includes security and compliance controls.

Ingestion

Uploaded files are validated for format, encoding, and size limits. Files are stored in tenant-isolated GCS paths with server-side encryption.

Validation & Cleaning

Automated data validation checks column schemas, null rates, and data types. Deep cleaning normalizes strings, numbers, dates, phone numbers, and email addresses. A 50% pass-rate gate prevents corrupt data from entering the warehouse.

PII Detection & Masking

Credit card numbers (Luhn validation), Social Security Numbers, and bank account numbers are automatically detected and masked. Rows with PII findings are quarantined for review in the Data Quality dashboard.

Canonicalization & Warehousing

Cleaned data is canonicalized into standard schemas (orders, order_items, customers, products) and loaded into BigQuery via idempotent MERGE operations using row_hash. All tables are partitioned by date and clustered by tenant_id.

Transformation & ML

dbt models transform canonical data into analytics-ready mart tables. BigQuery ML models run scoring for customer segmentation, revenue forecasting, and fraud detection. All transformations are version-controlled and auditable.

Enrichment & Insights

Public data enrichment (FRED, Census, Statistics Canada) is performed server-side. No customer data is sent to enrichment sources. AI insights are generated via Claude AI with tenant-scoped queries only.

For Enterprise

Compliance package for enterprise procurement

Enterprise customers can request a comprehensive compliance kit to satisfy their security review and vendor assessment requirements.

SOC 2 Type II report (under mutual NDA)

Annual penetration test summary

Executed Data Processing Agreement (DPA)

Completed security questionnaire (SIG Lite, CAIQ, or custom)

Sub-processor list with processing locations

GDPR transfer impact assessment

Infrastructure architecture overview

Business continuity and disaster recovery plan summary

Compliance contacts

Reach the right team

Security & SOC 2 questions

security@terrabog.com

Privacy & GDPR requests

privacy@terrabog.com

Legal & DPA execution

legal@terrabog.com

General compliance inquiries

compliance@terrabog.com

Ready to complete your security review?

Our security team responds to enterprise compliance requests within 2 business days.

Request compliance kit View Security page

Compliance built into every layer

Compliance package for enterprise procurement

Enterprise customers can request a comprehensive compliance kit to satisfy their security review and vendor assessment requirements.

SOC 2 Type II report (under mutual NDA)

Annual penetration test summary

Executed Data Processing Agreement (DPA)

Completed security questionnaire (SIG Lite, CAIQ, or custom)

Sub-processor list with processing locations

GDPR transfer impact assessment

Infrastructure architecture overview

Business continuity and disaster recovery plan summary