Certifications and attestations
This page states plainly where OnTrackio stands on third-party attestations: what's certified today, what the platform inherits from its infrastructure provider, and what sits on the roadmap. It's written for the security or procurement reviewer who needs the real answer before a deal, not a marketing badge wall.
The short version: OnTrackio does not hold its own SOC 2 or ISO 27001 attestation yet. The underlying technical controls are largely in place — and the platform runs entirely on AWS infrastructure that is SOC 2 and ISO 27001 certified — but the auditor engagement and observation window that produce a report have not started. We'd rather you read that here than infer a certification we don't have.
:::note Reading this page This is an explanation of attestation status, not a how-to. To produce the ITAM-derived evidence that supports these claims today, see Evidence packs. For the full data-flow and isolation narrative a questionnaire asks for, see Security overview. :::
Certification versus evidence
These are two different things, and conflating them is the most common reviewer confusion. A certification or attestation is a third party's signed opinion after an audit. Evidence is the underlying material — controls, logs, records — that an audit examines. OnTrackio ships strong evidence today; it does not yet ship a third-party report.
| Certification / attestation | Evidence | |
|---|---|---|
| Who produces it | An external auditor or certification body | The platform and its operators |
| What it is | A signed report (SOC 2) or certificate (ISO 27001) | Asset inventory, access controls, audit logs, policies |
| OnTrackio status today | None issued yet | Available now via the compliance suite |
| Where you get it | Roadmap below | Evidence packs |
This distinction is why the rest of the page separates "what we can hand you now" from "what requires a clock to start".
Attestation status at a glance
| Framework | Type | Status | Notes |
|---|---|---|---|
| SOC 2 Type II | Attestation report | Not started | Technical controls largely in place; auditor and observation window not yet engaged. |
| SOC 2 Type I | Attestation report | Not started | The planned first step — a point-in-time design review of the Security criteria. |
| ISO/IEC 27001 | Certification | Not started | Deferred until revenue justifies the ISMS build. |
| AWS SOC 2 / ISO 27001 | Inherited | Active | All hosting runs on AWS, which holds both; covers the physical and infrastructure layer. |
| GDPR | Regulation, not a certification | Posture in place | Strongest area; see GDPR posture. |
| NIS2 | Regulation, not a certification | ITAM-derived evidence | Honest coverage labels, not an attestation; see NIS2 posture. |
| BSI C5 | Attestation report | Out of scope today | Engaged only when a DACH customer requires it. |
| HIPAA / PCI-DSS | Regulation | Out of scope | OnTrackio handles no PHI and no payment-card data directly. |
:::warning Don't read "not started" as "no controls" "Not started" means no auditor has signed a report — not that the safeguards are missing. Encryption at rest and in transit, per-workspace database isolation, role-based access, MFA, SSO, and an immutable audit trail are live now. The gap is the formal audit, not the security posture. Security overview describes the controls in detail. :::
SOC 2 — the planned path
SOC 2 is the attestation most enterprise reviewers ask for, and it's the next one on the roadmap. The plan follows the standard two-stage sequence.
| Stage | What it evaluates | Scope | Result |
|---|---|---|---|
| Type I | Control design at a single point in time | Security criteria only | Design-effectiveness opinion |
| Type II | Control operation over an observation period | Security, Availability, Confidentiality | Operating-effectiveness report |
Two Trust Services Criteria are deliberately deferred beyond the first Type II report: Processing Integrity (OnTrackio doesn't process financial transactions directly — the billing processor does) and Privacy (GDPR already covers most of the same ground, so the auditor cost-benefit doesn't favour it until enterprise demand justifies it).
Why it isn't done yet
The control evidence is not the blocker. The platform already implements the bulk of the Security criteria — multi-factor authentication, role-based access control, per-workspace isolation, change management through enforced pull requests and CI, an incident-response runbook, and the full policy set an auditor expects. The missing pieces are an engaged audit firm and the months-long observation window a Type II report requires.
:::tip What this means for a deal in flight If you're evaluating OnTrackio before the report exists, the compliance suite gives an auditor or your own security team the ITAM-derived evidence directly. Generate a SOC 2 CC6.1 logical-access pack from the evidence packs screen — it maps your live licensing and offboarding data to the control, with honest gaps flagged. :::
ISO/IEC 27001 — deferred
ISO/IEC 27001 is the heaviest framework of the set: it requires a documented Information Security Management System (ISMS), an internal audit, and a two-stage certification engagement. The technical groundwork overlaps heavily with SOC 2 — access control, cryptography, and communications security are already strong — but the ISMS process work and certification body engagement are a multi-quarter effort.
It is deferred until revenue justifies the investment. When a customer contract requires ISO/IEC 27001 specifically, that's the trigger to start the clock.
What the platform inherits from AWS
OnTrackio is a cloud service that runs entirely on AWS in the EU (Frankfurt). AWS holds its own SOC 2 and ISO/IEC 27001 attestations, and the controls below are satisfied at the infrastructure layer by AWS rather than re-implemented by OnTrackio.
| Control area | What AWS attests | What OnTrackio relies on |
|---|---|---|
| Physical security | Datacenter access, environmental controls | No on-premises assets exist to secure. |
| Hardware disposal | NIST SP 800-88 media destruction on disk replacement | Database and storage volumes are AWS-managed. |
| Storage-layer encryption | AES-256 at rest on the managed database and object storage | OnTrackio enables it; AWS operates the key infrastructure. |
The application-layer controls on top of this — workspace isolation, RBAC, MFA, the audit log, and application-level field encryption — are OnTrackio's own and are what the SOC 2 and ISO efforts above will attest. AWS's reports cover the floor, not the application.
GDPR and NIS2 are not certifications
Two items reviewers sometimes file under "certifications" are regulations, and there is no certificate to issue for either. OnTrackio's posture against both is documented honestly.
- GDPR is the platform's strongest compliance area. Per-workspace database isolation is itself an Article 32 security-of-processing control, and the supporting paperwork — data-processing agreement, records of processing, and breach-notification process — is in place. See GDPR posture.
- NIS2 evidence is ITAM-derived and labelled by coverage class so nothing is overstated. The platform owns the Article 23 incident-notification timer and the Article 21(2)(f) effectiveness assessment end to end; the rest of Article 21 ranges from a hygiene floor to outside the platform's scope. See NIS2 posture and the honest-coverage breakdown in Compliance overview.
Frameworks out of scope
| Framework | Why it's out of scope |
|---|---|
| HIPAA | OnTrackio processes no protected health information. |
| PCI-DSS | The platform handles no payment-card data directly; billing runs through a dedicated processor. |
| BSI C5 (DACH) | A ~12-month attestation engaged only when a DACH customer requires it. |
| DORA | Overlaps with NIS2 and GDPR; relevant only to in-scope financial-sector customers and not pursued as a standalone attestation. |
How to get current evidence today
While the formal reports are pending, three sources give a reviewer real material now.
| You need | Where to get it |
|---|---|
| Control evidence mapped to a framework | Generate a compliance evidence pack (ISO 27001 A.8, SOC 2 CC6.1, GDPR Art. 30, or NIS2 Article 21). |
| The data-flow and isolation narrative | Security overview and Data residency. |
| The vendors behind the service | Subprocessors. |
Each evidence pack is generated on demand from your live data and stamped with the time of generation, so what you hand an auditor is current as of the day you produce it.
What changes when an attestation lands
This page is the single source of truth for attestation status and is dated at the top. When SOC 2 Type I or Type II completes, the status table and the SOC 2 section will be updated here, and the report will be available under NDA through your account contact rather than published openly. Until the date and status on this page change, assume the status shown is current.