SOC 2 · Controls Alignment (informational)
Last updated May 2026
Important
SOC 2 is an independent audit of an organisation's controls over time, performed by a licensed CPA firm. A website cannot be "SOC 2 compliant" by itself. This page describes controls we align toward, not an attestation.
Security
HTTPS/TLS everywhere; no central PII store in the current build; secrets kept out of source control; deploy tokens are short-lived and revoked after use.
Availability
Hosted on Vercel's global edge with a documented health endpoint (/api/health); the read layer degrades gracefully to a bundled dataset if a future database is unreachable.
Confidentiality
Least-privilege access to infrastructure; private source repository; no third-party data sharing.
Processing integrity
Input validation on API routes (zod), rate limiting on the API, and typed data models.
Path to attestation
Formal SOC 2 Type II would require a control framework, evidence collection over a 3–12 month window, and a third-party audit. Tools like Vanta/Drata can automate evidence once an organisation and backend exist.
These documents are provided in good faith and describe how queer.bar currently works. They are drafts and not legal advice; have them reviewed by a qualified lawyer before relying on them. Compliance with GDPR, the UK Data Protection Act 2018, and US/EU privacy laws is an ongoing organisational responsibility, not something software alone establishes.