Production Readiness

Security

Our founding team includes operators that have worked in dev tools, fintech, and cybersecurity, so we take security seriously across every aspect of our product and processes.

Schematic has put in place several technical and organizational measures designed to protect data and the application. We are secure by design and practice.

SOC 2

Schematic is SOC 2 Type 1 and Type 2 compliant; we use Vanta to manage our compliance, and work with a reputable auditor for our SOC 2 audits.

Our most recent report is from Feb 14, 2026 and can be provided upon request.

Soc2 Logo

For the full compliance overview, see our Trust Center.

Customer Data

Customer Data is the information you submit to Schematic for processing on your behalf. It includes the identity keys your systems use to refer to a company or user, optional profile traits (name, email, role, or any custom field you send), usage events recorded through the track API, and the subscription state Schematic mirrors from your billing provider.

For the list of third parties that process Customer Data on our behalf, see Subprocessors.

Payment Security (PCI Compliance)

Schematic does not store, process, or transmit payment card data. Schematic leverages Stripe for all payment processing, and Stripe is certified as a PCI Level 1 Service Provider, ensuring industry-standard protection for all payment data.

Encryption

All customer-facing endpoints require TLS 1.2 or higher, terminated at the load balancer. Data at rest is encrypted with AES-256. API keys and service credentials are stored in encrypted secret stores and are never written to logs. Outbound webhooks are signed, and every Schematic SDK includes helpers for verifying webhook signatures before your application processes them.

API access

API access is segmented by environment and key type. Publishable keys are scoped for client-side SDKs and carry limited authority. Secret keys are used by server-side SDKs and grant the access required to call privileged endpoints. Embedded components render with short-lived JWT session tokens minted on your server, which avoids exposing secret keys to the browser.

Application Security Measures

Schematic has implemented the following security measures:

  • Continuous Dependency Scanning: Automated monitoring for vulnerabilities in third-party libraries and frameworks, with alerts surfaced in CI/CD and tracked to resolution.
  • Static Application Security Testing (SAST): Regular analysis of source code to detect and remediate potential vulnerabilities before deployment.
  • Dynamic Application Security Testing (DAST): Runtime scanning of deployed environments to detect vulnerabilities such as XSS, SQL injection, and other common attack vectors.

Monitoring and Logging

Schematic has internal and external monitoring in place to ensure the security of our application.

  • Audit Logging: All critical user and system actions are logged for traceability and incident investigation.
  • Intrusion and Threat Detection: AWS GuardDuty provides continuous monitoring for malicious activity and unauthorized behavior.
  • Cloud Security Automation: Schematic uses AWS Security Hub and automated compliance checks via Vanta to enforce best practices and alert on misconfigurations.

SSO and 2FA

For all customers, Schematic supports SSO through Google and Github. Additionally, customers can enable 2FA through

2 Factor Authorization

We can also support Custom SSO providers such as Okta, Auth0, etc for customers on the Enterprise plan. If you have any questions, please reach out to us at support@schematichq.com.

Incident response

Customers are notified within 72 hours of a confirmed incident affecting their Customer Data, in line with the Data Processing Addendum.

Policies

We have a number of policies in place to support SOC 2 compliance. All of these policies are available for viewing upon request:

  • Acceptable Use Policy
  • Asset Management Policy
  • Backup Policy
  • Business Continuity Plan
  • Code of Conduct
  • Data Classification Policy
  • Data Deletion Policy
  • Data Protection Policy
  • Disaster Recovery Plan
  • Encryption Policy
  • Incident Response Plan
  • Information Security Policy
  • Password Policy
  • Physical Security Policy
  • Responsible Disclosure Policy
  • Risk Assessment Policy
  • Software Development Lifecycle Policy
  • System Access Control Policy
  • Vendor Management Policy
  • Vulnerability Management Policy

Reporting a Vulnerability / Bug

Please report security vulnerabilities or bugs to support@schematichq.com.

We currently do not operate a bug bounty program, but we will be forever grateful for any actionable security vulnerability found and will shower you with thanks and merch.