> ## Documentation Index
> Fetch the complete documentation index at: https://www.qovery.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# SOC2

> Systems and Organizations Controls 2

<img src="https://mintcdn.com/qovery/t4-0ckvZTzo5VRok/images/compliances/compliance_logo.png?fit=max&auto=format&n=t4-0ckvZTzo5VRok&q=85&s=60a7c4c20a3f5a4d258e79b01cf43182" alt="SOC2 Compliance" width="548" height="235" data-path="images/compliances/compliance_logo.png" />

Qovery infrastructure and processes comply with SOC2 (Systems and Organizations Controls 2) best practices. By default, Qovery integrates numerous security features into your applications, clusters, and databases,
ensuring alignment with SOC2's stringent security standards. For more information, visit the [Qovery trust page](https://trust.qovery.com/).

All customers using Qovery benefit from a SOC2-compliant infrastructure, significantly reducing the time required for compliance readiness.

This documentation outlines configuration settings for achieving SOC2 compliance and additional recommended security measures.

## Cluster advanced settings

In the [Cluster Advanced Settings](/configuration/clusters#advanced-settings), you will find several configurable options to enhance compliance with SOC2. Here are the key settings:

### AWS CloudWatch

**Cloud Provider:** <img src="https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/aws-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=12ef689645255696bfa4054d6e3aeaff" alt="AWS" width="20" style={{display: "inline", verticalAlign: "middle", marginRight: "4px"}} data-path="images/logos/cloud-providers/aws-icon.svg" />

To meet SOC2 retention requirements, set the `aws.cloudwatch.eks_logs_retention_days` to at least 365 days.

### Application Logs Retention

**Cloud Provider:** <img src="https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/aws-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=12ef689645255696bfa4054d6e3aeaff" alt="AWS" width="20" style={{display: "inline", verticalAlign: "middle", marginRight: "4px"}} data-path="images/logos/cloud-providers/aws-icon.svg" /> <img src="https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/gcp-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=e38f243f4f39d204ebc65102ab2a7e3c" alt="GCP" width="20" style={{display: "inline", verticalAlign: "middle", marginRight: "4px"}} data-path="images/logos/cloud-providers/gcp-icon.svg" /> <img src="https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/scaleway-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=98d01c5b36e963048f139a17f6ff72a8" alt="Scaleway" width="20" style={{display: "inline", verticalAlign: "middle", marginRight: "4px"}} data-path="images/logos/cloud-providers/scaleway-icon.svg" />

To meet SOC2 retention requirements, and store applications/containers logs in the object storage used by Loki, set the `loki.log_retention_in_week` to at least 365 days.

### VPC flow logs

**Cloud Provider:** <img src="https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/aws-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=12ef689645255696bfa4054d6e3aeaff" alt="AWS" width="20" style={{display: "inline", verticalAlign: "middle", marginRight: "4px"}} data-path="images/logos/cloud-providers/aws-icon.svg" /> <img src="https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/gcp-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=e38f243f4f39d204ebc65102ab2a7e3c" alt="GCP" width="20" style={{display: "inline", verticalAlign: "middle", marginRight: "4px"}} data-path="images/logos/cloud-providers/gcp-icon.svg" />

Enable VPC flow logs to monitor and maintain network traffic visibility:

On AWS:

* Set `aws.vpc.enable_s3_flow_logs` to `true`.
* Specify `aws.vpc.flow_logs_retention_days` to `365` days or more to ensure compliance.

On GCP:

* Set `gcp.vpc.enable_flow_logs` to `true`.
* Set `gcp.vpc.flow_logs_sampling` to `1.0` to capture all network traffic.

### Databases access

**Cloud Provider:** <img src="https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/aws-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=12ef689645255696bfa4054d6e3aeaff" alt="AWS" width="20" style={{display: "inline", verticalAlign: "middle", marginRight: "4px"}} data-path="images/logos/cloud-providers/aws-icon.svg" /> <img src="https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/gcp-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=e38f243f4f39d204ebc65102ab2a7e3c" alt="GCP" width="20" style={{display: "inline", verticalAlign: "middle", marginRight: "4px"}} data-path="images/logos/cloud-providers/gcp-icon.svg" /> <img src="https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/scaleway-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=98d01c5b36e963048f139a17f6ff72a8" alt="Scaleway" width="20" style={{display: "inline", verticalAlign: "middle", marginRight: "4px"}} data-path="images/logos/cloud-providers/scaleway-icon.svg" />

Qovery allows databases to be publicly accessible for convenience; however, to comply with SOC2, it's recommended to [restrict this access](/configuration/clusters#advanced-settings) to secure your databases by changing the value of those settings:

* `database.<database type>.deny_public_access`: set the CIDR ranges permitted to access the database.
* `database.<database type>.allowed_cidrs`: limit access to only your VPC CIDR or other specified IP ranges.

### Kubernetes API access

**Cloud Provider:** <img src="https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/aws-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=12ef689645255696bfa4054d6e3aeaff" alt="AWS" width="20" style={{display: "inline", verticalAlign: "middle", marginRight: "4px"}} data-path="images/logos/cloud-providers/aws-icon.svg" /> <img src="https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/gcp-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=e38f243f4f39d204ebc65102ab2a7e3c" alt="GCP" width="20" style={{display: "inline", verticalAlign: "middle", marginRight: "4px"}} data-path="images/logos/cloud-providers/gcp-icon.svg" />

By default, cloud providers allow public access to the Kubernetes API, which is secured by TLS certificates. AWS and GCP provide an added layer of security by requiring account-based dual authentication.

SOC2 compliance, however, mandates restricted access to the Kubernetes API. To achieve this:

* `qovery.static_ip_mode`: limit access to Qovery's designated IPs. Qovery needs this access to perform infrastructure maintenance and application deployment.
* `k8s.api.allowed_public_access_cidrs`: optional, define any additional CIDRs that require access to the Kubernetes API, thus limiting external access further.

<Info>
  Please refer to the [dedicated documentation section](/configuration/clusters#advanced-settings), you have to create a Dockerhub account and link it to Qovery to avoid rate limit.
</Info>

### Container images retention time

**Cloud Provider:** <img src="https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/aws-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=12ef689645255696bfa4054d6e3aeaff" alt="AWS" width="20" style={{display: "inline", verticalAlign: "middle", marginRight: "4px"}} data-path="images/logos/cloud-providers/aws-icon.svg" /> <img src="https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/gcp-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=e38f243f4f39d204ebc65102ab2a7e3c" alt="GCP" width="20" style={{display: "inline", verticalAlign: "middle", marginRight: "4px"}} data-path="images/logos/cloud-providers/gcp-icon.svg" /> <img src="https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/scaleway-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=98d01c5b36e963048f139a17f6ff72a8" alt="Scaleway" width="20" style={{display: "inline", verticalAlign: "middle", marginRight: "4px"}} data-path="images/logos/cloud-providers/scaleway-icon.svg" />

SOC2 requires that images be retained for a minimum of 365 days. To meet this requirement, set the `registry.image_retention_time` to at least 365 days.

### AWS EC2 metadata access

**Cloud Provider:** <img src="https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/aws-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=12ef689645255696bfa4054d6e3aeaff" alt="AWS" width="20" style={{display: "inline", verticalAlign: "middle", marginRight: "4px"}} data-path="images/logos/cloud-providers/aws-icon.svg" />

To comply with SOC2, restrict access to the AWS EC2 metadata service.

Set `aws.eks.ec2.metadata_imds` to `required` to prevent unauthorized access to the metadata service.

## Additional Actions

### AWS S3

**Cloud Provider:** <img src="https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/aws-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=12ef689645255696bfa4054d6e3aeaff" alt="AWS" width="20" style={{display: "inline", verticalAlign: "middle", marginRight: "4px"}} data-path="images/logos/cloud-providers/aws-icon.svg" />

To comply with SOC2 requirements for data integrity and protection:

* S3 versioning is automatically enabled by Qovery to maintain object history
* Enable MFA delete protection to add an extra layer of security for version deletion. This must be configured by the account owner using root credentials through the [AWS CLI.](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html)

## Schema

For SOC2 compliance, an auditor may request a diagram of your infrastructure and its connection to Qovery. Below is the diagram you can share:

<img src="https://mintcdn.com/qovery/cxbhZtnVrXJee1TV/images/compliances/qovery_soc2_schema.svg?fit=max&auto=format&n=cxbhZtnVrXJee1TV&q=85&s=6374610e469ce7dcf60a44353e508225" alt="Qovery SOC2 Architecture Schema" width="3470" height="1257" data-path="images/compliances/qovery_soc2_schema.svg" />