Skip to content

UnoLock Trust Center

UnoLock publishes a sanitized public security package. Full SOC 2 evidence, control mappings, auditor materials, operational screenshots, internal procedures, and detailed infrastructure records are kept under controlled access.

SOC 2 audit preparation

SOC 2 audit preparation has been completed; an independent audit is pending.

UnoLock maintains a SOC 2-aligned security control framework and has prepared evidence for independent audit review. Full audit materials and control evidence are available only to qualified auditors, enterprise customers, or partners under appropriate confidentiality terms.

UnoLock does not publicly claim SOC 2 certification unless and until an independent audit report has been issued.

Access tiers

Public Trust Package

The public package describes security posture and commitments without publishing operational details that could weaken the system:

  • Security posture and architecture summary.
  • Zero-knowledge and no-plaintext-access explanation.
  • Encryption, deletion, privacy, and retention summaries.
  • Incident response, vulnerability disclosure, and continuity principles.

Controlled Access

Qualified reviewers may receive a controlled diligence package under appropriate confidentiality terms:

  • SOC 2 readiness summaries.
  • Security questionnaire responses.
  • Sanitized architecture diagrams.
  • Executive summaries for qualified customer diligence.

Private Evidence Room

The full evidence room is not public. It is reserved for authorized auditors or tightly controlled reviewers:

  • Control mappings, screenshots, and audit evidence.
  • Access reviews, logs, tickets, and policy attestations.
  • Internal procedures, vendor evidence, and operating records.
  • Detailed infrastructure, monitoring, business continuity, and operational records.

What UnoLock can access

UnoLock can operate the service, process payments through payment providers, serve application code, store encrypted objects, and maintain limited operational records needed to run the platform.

What UnoLock cannot access

UnoLock is designed so plaintext Safe contents, private keys, recovery material, and decrypted files remain on the user's trusted client.

We do not publish operational details that would weaken that boundary.

If TechSologic is compromised

The system is designed to limit blast radius through client-side encryption and separation of responsibilities. Service compromise should not grant readable access to Safe contents.

Public materials explain the security model at a high level. Detailed control evidence, internal diagrams, vendor configurations, monitoring rules, escalation paths, and recovery procedures are handled through controlled access.

If TechSologic fails

UnoLock documents continuity and recovery practices internally and summarizes them for qualified reviewers. Public materials avoid detailed schedules, recovery procedures, and vendor configuration specifics.

Security commitments

Area Public commitment
Controls Documented controls cover access management, change management, incident response, encryption, data handling, infrastructure security, vendor management, vulnerability management, and business continuity.
Threat model UnoLock treats hostile devices, credential theft, coercion, infrastructure compromise, and supply-chain pressure as first-class risks. Public materials explain the model without publishing attacker playbooks.
Encryption Safe contents are encrypted before leaving the client. Public documentation explains the boundary at a high level; implementation evidence and detailed operational records stay controlled.
Data residency UnoLock supports region-aware storage options where available by plan and configuration. Specific customer residency commitments are handled contractually.
Deletion UnoLock publishes retention and deletion commitments while keeping exact internal execution details, verification artifacts, and operational procedures private.
Vulnerabilities Security reports should be sent through the channels listed in the vulnerability policy and bug bounty materials. Confirmed issues are triaged and handled according to severity and user impact.