Back to blog

Thursday, July 2, 2026

React Native Stallion is Now SOC 2 Type I Compliant

React Native Stallion is Now SOC 2 Type I Compliant

We're excited to announce that React Native Stallion is now SOC 2 Type I compliant — an independent attestation of the security controls that protect your React Native OTA updates, bundles, tokens, and account data.

For teams evaluating a CodePush alternative, the hardest part of adopting an over-the-air (OTA) update platform usually isn't the feature list — it's getting security sign-off. SOC 2 compliance answers those questions with an independent audit instead of a promise, so your security and vendor-review teams can approve Stallion faster.

What Is SOC 2 Type I Compliance?

SOC 2 is an independent audit of how a service organisation handles customer data, based on the AICPA's Trust Service Criteria. A SOC 2 Type I report is an attestation, by an independent auditor, that an organisation's controls are suitably designed and in place as of a specific date.

Stallion's SOC 2 Type I report covers three Trust Service Criteria:

  • Security — protecting systems and data against unauthorised access.
  • Availability — keeping the OTA platform operational and accessible.
  • Confidentiality — safeguarding information designated as confidential.

In practice, that means the controls protecting your OTA updates — access controls, encryption, logging, and change management — aren't just described in a sales deck. They've been examined and attested by a third party.

SOC 2 Type I vs Type II:

SOC 2 Type I attests that controls are suitably designed and in place at a point in time. SOC 2 Type II additionally tests that those controls operate effectively over a period (typically 3–12 months). Stallion's Type II observation window is already in progress.

Why SOC 2 Compliance Matters for OTA Updates

Over-the-air updates ship code directly to production devices, so the platform delivering them sits on a sensitive part of your supply chain. That makes independent security assurance essential — not optional.

  • Audited, not asserted. A SOC 2 Type I report gives your security reviewers something concrete to work from during vendor assessment, instead of a questionnaire full of "trust us" answers.
  • Faster procurement. Security teams can clear Stallion using a recognised, standardised report rather than a bespoke back-and-forth.
  • Transparency by default. Our security policies, subprocessors, and compliance documentation live in our Trust Center — open for review before you ever talk to sales.
  • Ongoing assurance. It's added confidence that Stallion has mechanisms to protect your bundles and account data day in and day out — not just at launch.

How We Achieved SOC 2 Compliance

SOC 2 isn't a checkbox you tick the week before an audit. Getting here meant hardening how Stallion operates, day to day:

  • Access controls — least-privilege access to production systems, with access reviews and strong authentication for the team.
  • Encryption — data encrypted in transit and at rest, with OTA bundle payloads served through signed, time-limited URLs.
  • Bundle signing — cryptographic signing so every OTA update is origin-verified and tamper-evident before a device installs it. Free on every plan.
  • Audit logging — comprehensive logs across critical systems for monitoring, incident investigation, and access accountability.
  • Vendor risk management — documented risk assessments before onboarding any subprocessor that touches customer data, with periodic reviews thereafter.
  • Security training & policy — company-wide security policies and training so the same standard is applied consistently across the team.

If you want the detail, our public Information Security Policy walks through how each control works.

What's Next for Stallion's Security Roadmap

Compliance is a direction, not a destination. What we're working on next:

  • SOC 2 Type II. The Type II observation window is underway — extending the attestation from "controls are designed correctly" to "controls operate effectively over time."
  • Data residency & GDPR. Enterprise customers can choose regional data hosting to keep bundle updates and related data within a specific geography, supporting GDPR and other data-residency requirements.
  • On-premise for regulated industries. For organisations with the strictest requirements — HIPAA, or internal policies that prohibit third-party cloud — Stallion offers on-premise OTA hosting behind your firewall, with the same feature set as the cloud product and complete data sovereignty.

How to Request Stallion's SOC 2 Report

Our SOC 2 Type I report is available under NDA. Enterprise customers and prospects in active evaluation can request it through our contact form, and browse our published security posture anytime at the Trust Center.

Frequently Asked Questions

Is React Native Stallion SOC 2 compliant?

Yes. React Native Stallion is SOC 2 Type I compliant, independently attested across the Security, Availability, and Confidentiality Trust Service Criteria. SOC 2 Type II is in progress.

What is the difference between SOC 2 Type I and Type II?

SOC 2 Type I attests that a company's security controls are suitably designed and in place at a specific point in time. SOC 2 Type II goes further and tests that those controls operated effectively over a period, usually three to twelve months. Stallion holds Type I today and has its Type II observation window underway.

Is React Native Stallion HIPAA compliant?

Stallion is not itself HIPAA-certified. For organisations with HIPAA or other strict regulatory requirements, Stallion offers on-premise deployment behind your own firewall, giving you full control over where data lives and who can access it.

How do I get Stallion's SOC 2 report?

Stallion's SOC 2 Type I report is available under NDA. Enterprise customers and teams in active evaluation can request it through the contact form at stalliontech.io/contact, and review published security documentation at the Trust Center.

Does Stallion support GDPR and data residency?

Yes. Enterprise customers can choose regional data hosting to keep React Native bundle updates and related data within a specific geographic region, supporting GDPR and other data-residency requirements. On-premise deployment is also available for full data sovereignty.

Are React Native OTA bundle updates encrypted and signed?

Yes. OTA bundles are encrypted in transit and at rest and served through signed, time-limited URLs. Stallion also supports customer-managed bundle signing, so every update is cryptographically origin-verified and tamper-evident before a device installs it — free on every plan.

Ship Fast, Stay Compliant

Great OTA infrastructure shouldn't force a trade-off between shipping speed and security review. React Native Stallion gives you staged rollouts, native crash-detection rollback, in-app testing, and customer-managed bundle signing — now backed by an independent SOC 2 Type I attestation.

React Native Stallion is free to start — 10K MAU free tier, no credit card required.

Get Started Free →