Security & Trust at Sound Off
Sound Off is committed to protecting the data entrusted to us by our community, partners, donors, and staff.
Our platform is designed around anonymity for those seeking help — we do not collect names or identifying details from individuals reaching out for support, and message content is end-to-end encrypted so that not even Sound Off can read it. This page summarizes the practices, controls, and certifications that govern how we safeguard information and systems. Security is treated as a continuous program — not a one-time effort — and is reviewed and updated on an ongoing basis.
Compliance & Certifications
Sound Off maintains a security and compliance program aligned to recognized industry frameworks. We pursue independent third-party validation of our controls to give external stakeholders confidence in how we operate.
- SOC 2 Type II — Sound Off is currently in its SOC 2 Type II audit period. The examination covers the Security trust services criteria and evaluates both the design and the operating effectiveness of our controls over the audit window. Upon completion, our report will be available to qualified parties under NDA on request.
- HIPAA-aligned controls — Sound Off does not collect or process Protected Health Information (PHI); users of our platform are anonymous. Even so, out of an abundance of caution, we are building our systems and operational practices to HIPAA standards, with target completion on July 1, 2026. This program implements administrative, physical, and technical safeguards equivalent to those required of HIPAA-covered entities, and extends those protections to vendors via Business Associate Agreements (BAAs) where applicable — including with our messaging carrier, Twilio.
- Continuous compliance monitoring — Sound Off uses Vanta to continuously monitor our security posture, automate evidence collection, and detect configuration drift across our infrastructure and SaaS environment.
- Privacy alignment — Our data handling practices are designed to align with applicable U.S. state privacy laws and, where relevant, GDPR principles for individuals in scope.
Data Encryption
All customer and operational data is encrypted both in transit and at rest.
- In transit — All communication with Sound Off systems is encrypted using TLS 1.2 or higher. We enforce HTTPS across all public-facing services and use modern cipher suites.
- End-to-end message encryption — Message content exchanged through our platform is protected with end-to-end encryption via Virgil Security, applied on top of the transport-layer encryption provided by our messaging carrier (Twilio). Encryption keys are generated and held on user devices; messages are encrypted on the sender's device and decrypted on the recipient's device. Message plaintext is not accessible to Sound Off staff or to our messaging carrier.
- At rest — Data stored in our cloud infrastructure is encrypted using AES-256. Database encryption keys are managed via AWS Key Management Service (KMS) with strict access controls and full audit logging.
- Backups — Backups are encrypted using the same standards and are retained in accordance with our data retention policies.
Infrastructure Security
Sound Off’s production systems are hosted on Amazon Web Services (AWS), a provider that maintains SOC 1, SOC 2, SOC 3, ISO 27001, PCI DSS, and other leading certifications.
- Environment isolation — Production, staging, and pre-production environments are deployed in separate, fully isolated Virtual Private Clouds (VPCs) with no inter-environment network connectivity, preventing lateral movement between environments.
- Layered network controls — Public-facing traffic terminates at managed load balancers, which serve as the sole entry point to each environment over HTTPS. Security group rules enforce that application servers accept inbound traffic only from the load balancer, and database servers accept traffic only from authorized application servers.
- High availability for critical data — Our primary database is deployed in a multi-availability-zone configuration with automated failover to support recovery from infrastructure failures.
- High Logging & monitoring — Infrastructure and application activity is centrally logged through AWS CloudWatch and retained for 365 days. Security-relevant events are monitored, and alerts are routed to on-call personnel for review and response.
Access Controls
Sound Off enforces the principle of least privilege across all systems.
- Single Sign-On (SSO) — Identity is centralized through our corporate identity provider. Access to business systems and infrastructure is federated through SSO wherever supported.
- Multi-Factor Authentication (MFA) — MFA is required for all employee accounts and is enforced on identity provider sign-in, privileged infrastructure access, and any system handling sensitive data.
- Role-Based Access — Access to systems and data is provisioned based on documented job responsibilities and reviewed on a recurring basis.
- Provisioning & deprovisionings — New access requires manager approval. Access is automatically revoked when employees or contractors leave the organization.
- Privileged access — Administrative access to production infrastructure is restricted to a small, named group, requires MFA, and is logged
Secure Development Practices
We follow a structured software development lifecycle (SDLC) that integrates security at each phase.
- Code review — Changes to production code are peer-reviewed before deployment.
- Version control — All source code is maintained in a managed version-control system with branch protections and audit history.
- Dependency management — Third-party libraries are tracked, and known vulnerabilities are surfaced through automated scanning. Critical vulnerabilities are remediated on a defined timeline.
- Secrets management — Credentials, API keys, and other secrets are stored in a dedicated secrets manager. Secrets are never committed to source control.
- Environment separation — Production environments are logically separated from development and testing environments, and production data is not used in non-production environments.
Vendor & Third-Party Risk Management
Sound Off relies on a curated set of third-party providers to deliver its mission. We assess vendors before onboarding and re-evaluate them periodically.
- Vendors handling sensitive data are reviewed for their security posture, certifications (SOC 2 or equivalent where applicable), and data handling practices.
- Access by vendors to our systems is provisioned through the same identity and access controls applied to internal staff.
- Vendor inventory and risk posture are tracked centrally and reviewed on a defined cadence.
Incident Response
Sound Off maintains a documented incident response plan that defines roles, communication paths, and escalation procedures..
- Detection — Security-relevant events are monitored across our infrastructure and SaaS environment.
- Response — Suspected incidents are triaged by designated responders following defined runbooks. Containment, eradication, and recovery actions are documented.
- Notification — In the event of a confirmed security incident affecting customer or partner data, Sound Off will notify affected parties in accordance with applicable laws and contractual obligations.
- Review — Every incident is followed by a post-incident review, with corrective actions tracked to completion.
Business Continuity & Disaster Recovery
Sound Off maintains business continuity and disaster recovery procedures designed to keep critical services available and recoverable.
- Production systems are backed up regularly, and restoration procedures are documented.
- Recovery objectives are defined for critical systems and reviewed periodically.
- Continuity procedures are tested on a recurring basis.
Privacy & Data Handling
Sound Off’s platform is built around two principles: anonymity for those seeking help, and accountability for those providing it.
For people seeking support. Anonymity is a core design principle, not an add-on. We do not collect names, contact information, or other identifying details tied to the message content of individuals reaching out for help. Combined with the end-to-end encryption described above, this means Sound Off staff cannot read message content, and a help-seeker’s identity cannot be reconstructed from the data we hold.
For supporters (peers and counselors). Individuals who provide support on the platform are not anonymous. Before granting access to a supporter role, we verify identity, conduct background checks, and confirm professional credentials where applicable. Supporter identities are known to Sound Off for trust, safety, and quality-of-care reasons.
For everyone. We collect only the information necessary to deliver the service. We do not sell personal information. Individuals may submit requests regarding their data through the contact channels in our Privacy Policy.
For full details on the data we collect and how it is processed, please see our Privacy Policy.
Security Awareness & Training
All Sound Off personnel complete security awareness training at hire and annually thereafter. Training covers phishing, credential hygiene, data handling, and incident reporting. Personnel with elevated access receive additional role-specific training.
Background Checks
Sound Off conducts background checks on new employees in accordance with applicable laws and the role’s level of responsibility.
Reporting a Security Concern
We welcome reports of suspected security issues. If you believe you have discovered a vulnerability or security issue affecting Sound Off, please contact us at: security@sound-off.com.
We aim to acknowledge reports promptly and will work in good faith with researchers and reporters who act responsibly.
Sound Off, Inc. is a [501(c)(3) nonprofit / confirm entity description]. This page describes our security program at a point in time and is updated as our controls evolve. For specific questions about our security practices or to request a copy of our SOC 2 report, contact [security@sound-off.com / partnerships@sound-off.com].
THE TOP