Skip to content
NewLatest articleDatabricks Lakebase: what it is and how to prepareRead

Trust & Security

Security you can prove, not just promise.

Tarmac is SOC 2 Type II audited and builds software for regulated industries every day. We are fluent in HIPAA, HITRUST, ISO 27001, and PCI DSS, and our engineers build against the OWASP Top 10 from the first commit, not the final audit.

SOC 2 TYPE II

Our attestation

SOC 2 Type II

Tarmac maintains a SOC 2 Type II attestation: an independent auditor examines our security, availability, and confidentiality controls over time, not just on a single day. We can share the current report under NDA.

  • Security
  • Availability
  • Confidentiality

Examined over a period by an independent CPA firm. Current report available under NDA.

How we build securely

Security is part of the build, not a phase at the end

Compliance paperwork proves a point in time. Secure engineering keeps you safe between audits. We do both, and the engineering comes first.

  1. 01

    Built against the OWASP Top 10

    Our engineers treat the OWASP Top 10 as a baseline, not a checklist at the end. Injection, broken access control, and the rest are designed out during the build, then verified.

  2. 02

    Automated and AI-assisted scanning

    Static analysis, dependency and secret scanning, and AI-assisted security review run in CI on every change. Findings block the merge instead of waiting for an audit.

  3. 03

    Secure by default in the SDLC

    Peer review on every pull request, least-privilege access, secrets management, encryption in transit and at rest, and infrastructure as code so the secure configuration is the only configuration.

  4. 04

    Senior engineers own the risk

    Security is not handed to a separate team at the end. The senior engineer accountable for a feature is accountable for how it holds up, which is exactly how the Tarmac 10 is meant to work.

Frameworks we build to

The standard your auditors expect, engineered in

We meet your systems where your industry requires. These are the frameworks our teams work within most, with real delivery behind them.

HIPAA

Protected health information handled the right way: business associate agreements, least-privilege access, audit logging, and encryption in transit and at rest. Proven across healthcare clients like Allina Health.

HITRUST CSF

For teams that need HITRUST alignment on top of HIPAA, we map the controls and build to them so your certification effort starts from a system that already fits.

ISO 27001

Information security management aligned to ISO 27001 controls: risk assessment, access management, change control, and the documentation an ISMS audit expects.

GDPR & CCPA

Data privacy by design for EU and California users: lawful basis and consent, data minimization, and the right to access and erasure engineered into the product, not bolted on.

NIST CSF & AI RMF

Risk-based security using the NIST Cybersecurity Framework, and the NIST AI Risk Management Framework for AI systems, so governance keeps pace with what we ship.

Regulated by default

Comfortable inside audited, controlled environments

Healthcare, financial services, and payments are where the margin for error is smallest. That is where a lot of our work lives. We adapt to your access model, your review gates, and your auditors, and we keep shipping without cutting the corners that matter.

  • Least-privilege access and role separation that match your controls
  • Encryption in transit and at rest, with managed secrets and key rotation
  • Audit logging and traceability from requirement to deployed change
  • Business associate and data processing agreements signed as standard
  • Infrastructure as code so the secure configuration is the default one

Questions, answered

Security & compliance FAQ

Is Tarmac SOC 2 compliant?

Yes. Tarmac maintains a SOC 2 Type II attestation, which means an independent auditor evaluates our controls across a period of time rather than at a single point. We can provide the current report under NDA.

Which compliance frameworks can you build to?

We are fluent in HIPAA, HITRUST, ISO 27001, and PCI DSS, and we build to privacy regimes like GDPR and CCPA and risk frameworks like the NIST CSF and NIST AI RMF. We engineer your systems to meet the standard your industry and auditors require.

Do you work in regulated environments?

Regularly. Our teams have shipped and supported software in healthcare, financial services, and payments, where compliance is a requirement to operate. We are comfortable inside audited, controlled environments and adjust our access and process to fit yours.

How do you keep the code itself secure?

Engineers build against the OWASP Top 10, and every change runs through static analysis, dependency and secret scanning, and AI-assisted security review in CI, plus peer review. Security is part of delivery, not a phase we bolt on before launch.

Can you sign a BAA or a DPA?

Yes. We routinely sign business associate agreements for HIPAA work and data processing agreements for GDPR and CCPA, and we align to your security and access requirements as part of onboarding.

Need a partner your auditors will sign off on?

Tell us about your environment and the frameworks you answer to. We will bring a senior team that ships fast and keeps you compliant while it does.