Skip to main content

Public control summary.

TvRMM maintains a SOC 2-aligned control program. The summary below is self-attested and not independently audited.

TvRMM approved its initial governance baseline on 2026-07-01, covering system scope, the policy set, control mapping, SOC 2 readiness mapping, and control ownership. Operating evidence collection remains in progress.

TvRMM is not currently SOC 2 audited. We are building and maintaining a SOC 2-aligned security program with an initial focus on Security, Availability, and Confidentiality. The materials in this public package are self-attested and provided for transparency. They are not a SOC 2 report, certification, or independent assurance opinion.

Control areas.

Last updated: 2026-07-10. These summaries describe the current public control position without constituting independent assurance.

Control areaPublic summary
Access controlTvRMM's access-control standard requires named accounts, least privilege, MFA where supported, and periodic review for production and customer-data access.
Change managementProduct changes are tracked in Git. The app repo uses CI validation, and hosted deployments are explicit operator actions.
Tenant isolationThe hosted app is designed around tenant and organization scoping, role-gated actions, and customer-approved support access.
Agent identityAgents enroll into a customer context and use identity material to communicate with the service.
Endpoint actionsScripts, terminal, patching, reboot, updates, cleanup, and remote access are treated as high-risk actions requiring authorization and auditability.
Secrets managementOperational secrets are stored outside source code and loaded into runtime and deployment workflows from approved secret stores.
Vulnerability managementSecurity findings from scans, tests, reviews, and reports are tracked to remediation or documented risk acceptance.
Incident responseTvRMM maintains an incident-response process for triage, containment, remediation, customer-impact review, and follow-up.
Backup and recoveryProduction backups are automated and monitored. In July 2026, TvRMM completed an isolated restore validation that confirmed application health and controlled existing-agent reconnection without fresh enrollment.
Vendor managementProviders that process customer data or support production are inventoried and reviewed.
Data handlingRetention, export, deletion, and support-access expectations are tracked against public legal/security commitments.