Public control summary.
TvRMM maintains a SOC 2-aligned control program. The summary below is self-attested and not independently audited.
TvRMM approved its initial governance baseline on 2026-07-01, covering system scope, the policy set, control mapping, SOC 2 readiness mapping, and control ownership. Operating evidence collection remains in progress.
TvRMM is not currently SOC 2 audited. We are building and maintaining a SOC 2-aligned security program with an initial focus on Security, Availability, and Confidentiality. The materials in this public package are self-attested and provided for transparency. They are not a SOC 2 report, certification, or independent assurance opinion.
Control areas.
Last updated: 2026-07-10. These summaries describe the current public control position without constituting independent assurance.
| Control area | Public summary |
|---|---|
| Access control | TvRMM's access-control standard requires named accounts, least privilege, MFA where supported, and periodic review for production and customer-data access. |
| Change management | Product changes are tracked in Git. The app repo uses CI validation, and hosted deployments are explicit operator actions. |
| Tenant isolation | The hosted app is designed around tenant and organization scoping, role-gated actions, and customer-approved support access. |
| Agent identity | Agents enroll into a customer context and use identity material to communicate with the service. |
| Endpoint actions | Scripts, terminal, patching, reboot, updates, cleanup, and remote access are treated as high-risk actions requiring authorization and auditability. |
| Secrets management | Operational secrets are stored outside source code and loaded into runtime and deployment workflows from approved secret stores. |
| Vulnerability management | Security findings from scans, tests, reviews, and reports are tracked to remediation or documented risk acceptance. |
| Incident response | TvRMM maintains an incident-response process for triage, containment, remediation, customer-impact review, and follow-up. |
| Backup and recovery | Production backups are automated and monitored. In July 2026, TvRMM completed an isolated restore validation that confirmed application health and controlled existing-agent reconnection without fresh enrollment. |
| Vendor management | Providers that process customer data or support production are inventoried and reviewed. |
| Data handling | Retention, export, deletion, and support-access expectations are tracked against public legal/security commitments. |