Does that vendor have SOC 2? Who processes their data? When did it change?

StackPosture consolidates the trust facts B2B SaaS vendors publish — certifications, subprocessors, data residency, incident disclosures — into one dated, sourced record. Free to use.

/
12
Vendors tracked
45
Facts on record
24
Changes logged

Recent changes

Vendors overwrite their subprocessor lists and trust pages. We keep the history.

2026-06-10
Airtable
Verification pass: SOC 2 Type II, ISO 27001:2022 (public certificate PDF), ISO 27701, HIPAA, and TX-RAMP Level 2 confirmed against Airtable's trust page. Security page URL corrected to /company/trust-and-security; subprocessors list and DPA links added.
2026-06-10
Airtable
Vendor added to StackPosture — initial snapshot from published trust documentation. Verification pass pending.
2026-06-10
Asana
Verification pass: SOC 2 Type II, ISO 27001:2022 (plus 27017/27018/27701), HIPAA, and CSA STAR Level 1 confirmed against Asana's trust page. Status page and EU/AU/JP data residency recorded; trust center corrected to security.asana.com.
2026-06-10
Asana
Vendor added to StackPosture — initial snapshot from published trust documentation. Verification pass pending.
2026-06-10
Calendly
Verification pass: SOC 2 Type II (plus SOC 3), ISO 27001, and CSA STAR Level 1 confirmed against Calendly's security page. Whistic trust profile added; PCI compliance is via payment processor Chargebee, not Calendly itself.
2026-06-10
Calendly
Vendor added to StackPosture — initial snapshot from published trust documentation. Verification pass pending.
2026-06-10
Dropbox
Verification pass: SOC 2 Type II (plus SOC 1/SOC 3), ISO 27001/27018 (plus 27017/27701/22301), CSA STAR Level 2, and HIPAA support confirmed against Dropbox's compliance page, Trust Center, and the CSA STAR registry.
2026-06-10
Dropbox
Vendor added to StackPosture — initial snapshot from published trust documentation. Verification pass pending.

View the full changelog →

How it works

We collect trust facts from vendor-published documentation and public regulatory records — never from scanning, probing, or anything a vendor didn't publish themselves.
Every fact carries a source link and a date. Facts we haven't yet verified against a primary source are clearly marked as pending.
We re-check vendors on a schedule and log every change — so you can see not just what a vendor's posture is, but how it has moved.

Missing a vendor?

Tell us which vendor you're reviewing and we'll add them, usually within a few days: [email protected]