Jul 31, 2025
Personal data means any information relating to an identified or identifiable natural person (“data subject”). This includes obvious identifiers like full names, email addresses, and government-issued IDs — but also less direct signals such as IP addresses, device IDs, geolocation, or behavioral patterns.
An identifiable natural person is one who can be recognized, directly or indirectly, using a combination of data points. For example, even if a name isn’t stored, combining birthdate, ZIP code, and gender may be enough to uniquely identify someone — and therefore falls under the definition of personal data.
Personal data means any information relating to an identified or identifiable natural person (“data subject”). This includes obvious identifiers like full names, email addresses, and government-issued IDs — but also less direct signals such as IP addresses, device IDs, geolocation, or behavioral patterns.
An identifiable natural person is one who can be recognized, directly or indirectly, using a combination of data points. For example, even if a name isn’t stored, combining birthdate, ZIP code, and gender may be enough to uniquely identify someone — and therefore falls under the definition of personal data.
“We didn’t just pass an audit — we redefined how we work as a team. What started as a security requirement turned into a full reset of our processes, tools, and expectations.”
In practice, the work wasn’t linear, and it definitely wasn’t confined to one person. Security, engineering, HR, and leadership each had critical responsibilities. Coordination between departments added friction — every task required clarifications, decisions, and cross-checks.
Across all functions, the actual time investment was closer to 80–100 hours — and that’s a conservative estimate. Some phases stretched out due to internal dependencies, delayed responses from vendors, or scheduling audits around product deadlines. Progress wasn’t always steady, and context-switching slowed things down.
Beyond the raw hours, there was also significant cognitive and emotional load. Working on compliance while shipping product features meant balancing two very different mindsets. Team members had to pause deep technical work to dig through policy drafts or create evidence logs — not glamorous, but essential.
Beyond the raw hours, there was also significant cognitive and emotional load. Working on compliance while shipping product features meant balancing two very different mindsets. Team members had to pause deep technical work to dig through policy drafts or create evidence logs — not glamorous, but essential.
In short: while SOC2 compliance is achievable, it demands time, focus, and a lot of cross-team patience. The “just a few dozen hours” assumption doesn’t hold up in the real world — especially if you care about doing it right.
We upgraded our monitoring stack, introduced better alerting, and mapped escalation paths. Incidents became easier to detect and respond to with consistency, reducing the risk of blind spots or delayed reactions.
Personal data means any information relating to an identified or identifiable natural person (“data subject”). This includes obvious identifiers like full names, email addresses, and government-issued IDs — but also less direct signals such as IP addresses, device IDs, geolocation, or behavioral patterns.
An identifiable natural person is one who can be recognized, directly or indirectly, using a combination of data points. For example, even if a name isn’t stored, combining birthdate, ZIP code, and gender may be enough to uniquely identify someone — and therefore falls under the definition of personal data.
We had a solid CI/CD setup in place before the audit. Our pipelines built, tested, and deployed code reliably — but SOC2 compliance raised the bar significantly. It wasn’t just about shipping quickly anymore; it was about shipping predictably, securely, and with full traceability.
We introduced test coverage reports as a mandatory metric, not just a “nice to have.” This helped highlight gaps in our test suites and gave teams measurable targets to improve over time. Static code analysis, dependency scanning, and linting were integrated into every pipeline stage to catch issues earlier and enforce quality standards consistently.
We enforced multi-factor authentication (MFA) across all services — from code repositories and internal tools to SaaS platforms like Slack, Notion, and Google Workspace. It was one of the most immediate and visible changes for the team.
At the same time, we rolled out mobile device management (MDM) for all employee laptops and phones. This allowed us to enforce full-disk encryption, lock or wipe lost devices remotely, and ensure up-to-date OS patches and endpoint protection across the board. We defined baseline security policies and applied them uniformly, regardless of location or role.
The rollout naturally introduced some friction. Team members had to install new apps, use physical tokens or authenticators, and adapt to additional steps in their login routines. But the transition went surprisingly smoothly. We communicated the rationale clearly, offered support, and made sure the process felt like empowerment — not punishment.
Beyond the raw hours, there was also significant cognitive and emotional load. Working on compliance while shipping product features meant balancing two very different mindsets. Team members had to pause deep technical work to dig through policy drafts or create evidence logs — not glamorous, but essential.
In the cloud, you can have fast autoscale for functions, or slow autoscale for apps, but not both. In this blog post we show that on Unikraft Cloud millisecond autoscale for apps is not only possible, but available now.
In the cloud, you can have fast autoscale for functions, or slow autoscale for apps, but not both. In this blog post we show that on Unikraft Cloud millisecond autoscale for apps is not only possible, but available now.
As part of an on-going effort to deliver performance excellent, Unikraft submits research contributions to the leading European systems conference.