Trust Center

Compliance

Certifications, frameworks, and regulatory compliance

PetroBench maintains security and compliance practices aligned with industry standards. This page provides transparency into our current certifications, ongoing initiatives, and the frameworks we follow.

Certifications & Assessments

FrameworkStatusDetails
SOC 2 Type IIIn progressPursuing certification; expected completion 2026
AWS InfrastructureInheritedAWS maintains SOC 2 Type II, ISO 27001, FedRAMP, and PCI DSS certifications
Penetration TestingCurrentAnnual third-party penetration test (last completed Q4 2025)

SOC 2 Type II audit reports and penetration test summaries are available to enterprise customers under NDA. Contact legal@petrobench.com.

Security Framework Alignment

PetroBench's security program is designed around industry-standard frameworks:

Access Control

  • Role-based access control (RBAC) with least-privilege principles
  • Multi-factor authentication (MFA) available for all users
  • SAML 2.0 SSO integration for enterprise identity providers
  • Quarterly access reviews for production systems

Data Protection

  • AES-256 encryption at rest, TLS 1.2+ in transit
  • Tenant data isolation at the database level
  • Daily backups with 30-day retention
  • Data Processing Agreements (DPA) available for enterprise customers

Network Security

  • Cloudflare WAF and DDoS mitigation
  • HTTPS enforced on all endpoints
  • IP reputation filtering at the edge
  • No direct public access to application servers or databases

Monitoring & Response

  • Real-time infrastructure and application monitoring
  • Automated alerting for anomalous activity
  • Documented incident response procedures with defined severity levels
  • 72-hour customer notification SLA for confirmed security incidents

Employee Security

  • Background checks for all employees
  • Security awareness training at onboarding and annually
  • Confidentiality and acceptable use agreements
  • Immediate access revocation upon departure

Change Management

  • All code changes require peer review before deployment
  • Automated testing and security scanning in CI/CD pipeline
  • Staged rollouts with rollback capability
  • Infrastructure changes tracked and auditable

Data Handling

PracticeDetails
Data ResidencyUnited States only (AWS US East)
Data OwnershipCustomers retain full ownership of their data
Data PortabilityExport available in CSV and JSON formats
Data DeletionWithin 30 days of request or account termination
Subprocessor ManagementDocumented list with 30-day change notification for enterprise DPA customers

Regulatory Considerations

PetroBench processes petroleum engineering simulation data: well configurations, rod string designs, production data, and simulation results. This data is typically classified as proprietary operational data rather than regulated personal data.

That said, we apply strong data protection practices to all customer data regardless of classification:

  • Encryption at rest and in transit
  • Strict access controls and audit logging
  • Data isolation between customer organizations
  • Defined retention and deletion procedures

For customers with specific regulatory requirements (GDPR for EU-based personnel data, state privacy laws, etc.), we can accommodate through our DPA and data handling procedures.

Request Documentation

To request compliance documentation, audit reports, or a DPA:

Authentication & Access

SSO, MFA, and access controls

Service Level Agreement

Uptime commitments, support response times, and maintenance windows

On this page

Certifications & AssessmentsSecurity Framework AlignmentAccess ControlData ProtectionNetwork SecurityMonitoring & ResponseEmployee SecurityChange ManagementData HandlingRegulatory ConsiderationsRequest Documentation