Self-Hosted SOC 2 Position
Password Pusher Pro – Self Hosted Edition
Apnotic, LLC
1. SOC 2 Relevance for Self-Hosted Software
SOC 2 reports apply to service organizations that process, store, or transmit customer data. For Self Hosted Pro deployments, Apnotic acts as a software vendor, not a service organization.
| SOC 2 Principle | SaaS (pwpush.com) | Self Hosted Pro |
|---|---|---|
| Security | Apnotic's controls apply | Customer's controls apply |
| Availability | Apnotic's infrastructure | Customer's infrastructure |
| Processing Integrity | Apnotic's systems | Customer-managed systems |
| Confidentiality | Apnotic's controls | Customer's controls |
| Privacy | Apnotic as processor | Customer as controller/processor |
2. Why Apnotic's SOC 2 Report Does Not Cover Self-Hosted
A SOC 2 report covers the systems and controls of the service organization. For Self Hosted Pro:
- The "system" is the customer's infrastructure, not Apnotic's
- Apnotic has no visibility into or control over customer environments
- Customer manages their own security, availability, and confidentiality controls
- Apnotic cannot audit, monitor, or certify customer-managed systems
Analogy: Just as Microsoft does not include customer Windows Server deployments in their SOC 2 scope, Apnotic's SOC 2 (if applicable) covers only SaaS operations at pwpush.com.
3. Customer's SOC 2 Responsibilities
Customers deploying Self Hosted Pro as part of their own service offering must maintain SOC 2 controls over:
CC6.1 – Logical Access Controls
- User authentication configuration
- Role-based access control implementation
- Privileged access management
CC6.2 – Access Removal
- Timely deprovisioning of terminated users
- Access reviews and recertification
CC6.3 – Access Monitoring
- Audit log review and monitoring
- Anomaly detection and alerting
CC6.6 – Encryption
- Key management and rotation
- Certificate management
- Data classification and encryption policies
CC7.1 – Security Operations
- Vulnerability management for the deployment
- Patch management (OS, container, application)
- Intrusion detection and prevention
CC7.2 – System Monitoring
- Log aggregation and SIEM integration
- Performance and availability monitoring
A1.2 – System Availability
- Backup and recovery procedures
- Business continuity planning
- Disaster recovery testing
4. Security Features Supporting SOC 2 Controls
Password Pusher Pro provides capabilities that support customer SOC 2 compliance:
| Control Area | Feature | Customer Implementation |
|---|---|---|
| Authentication | SSO/SAML support, MFA | Configure with IdP |
| Authorization | Role-based permissions | Define and assign roles |
| Audit Logging | Comprehensive event logs | Integrate with SIEM |
| Data Retention | Configurable expiration policies | Set per organizational requirements |
| Encryption | AES-256 at rest, TLS 1.3 in transit | Verify configuration |
| Secure Disposal | Automatic deletion with cryptographic erasure | Enable and validate |
5. Auditor Documentation
For SOC 2 audits of customer organizations using Self Hosted Pro:
What to Provide Auditors
- This Document – Clarifies Apnotic's role as software vendor
- Architecture Diagram – Show isolated deployment within customer environment
- Data Flow Documentation – Confirm no data transmission to Apnotic
- Security Configuration Guide – Evidence of implemented security controls
- License Agreement – Evidence of software licensing (not service provisioning)
Common Auditor Questions
Q: "What is Apnotic's role in your service delivery?"
A: Apnotic is a software vendor. We license Password Pusher Pro software that our organization deploys and operates within our own infrastructure.
Q: "Does Apnotic have access to your system or data?"
A: No. Apnotic provides software only. All data processing, storage, and transmission occurs within our controlled environment. Apnotic has no access to our systems, data, or operations.
6. Subservice Organization Considerations
Under SOC 2, subservice organizations are vendors that process data on behalf of the service organization. For Self Hosted Pro:
| Vendor Type | Subservice Organization? | Notes |
|---|---|---|
| Cloud Hosting Provider (AWS, Azure, GCP) | ✅ Yes | Customer's infrastructure provider |
| Container Registry (registry.apnotic.com) | ❌ No | Delivers software only, no data processing |
| Apnotic Support Portal | ❌ No | Access requires explicit customer grant |
| License Validation Service | ❌ No | Cryptographic check only, no data content |
7. For Compliance Teams
Common Request: "We need Apnotic's SOC 2 report for our audit."
Response Framework:
Apnotic provides Self Hosted Pro as licensed software deployed within your infrastructure. In this model, you are the service organization responsible for SOC 2 controls over your systems. Apnotic does not process, store, or transmit your data—therefore, Apnotic is not a subservice organization requiring inclusion in your SOC 2 scope.
Your SOC 2 report should reflect your own controls over the self-hosted deployment, including infrastructure security, access management, monitoring, and availability—similar to how you would report on other software deployed in your environment (databases, operating systems, etc.).
Document Version: 1.0
Last Updated: April 2026
Contact: support@apnotic.com | https://apnotic.com