CONFIDENTIALITY AGREEMENT FOR SOC 2 POLICY ACCESS
Shade Inc. (Shade) is an AI-powered cloud NAS that merges the speed and security of local storage with the convenience of the cloud. Shade was founded in 2022 by Brandon Fan and Emerson Dove with the intention to provide producers and studios more time to focus on the creative process.
Shade provides efficient services for creators to collaborate on local and cloud files. With a user-friendly tool-kit for media teams, Shade unlocks editor and producer potential, enabling faster workflows for the creative process. The Shade platform provides a range of tools including neural searching, virtual mounting, auto-tagging, and asset preview generation. Shade also provides tools for user management, editing, approval, and file management.
Containerized Deployment:
Shade’s applications are deployed in isolated containers (e.g., Kubernetes pods), each with strictly defined resource boundaries. This approach prevents unintended data exposure between clients, as separate containers run their own set of processes and configurations. By applying per-container network policies, the risk of lateral movement within the cluster is minimized, and each container’s permissions are tightly controlled through Kubernetes Role-Based Access Control (RBAC).
Dedicated Client File Stores:
Client data is allocated within separate, dedicated storage buckets or directories—such as Backblaze B2 object stores and encrypted, client-specific volumes—to ensure strict segregation. All at-rest data benefits from AES-256 disk encryption managed through an enterprise-grade Key Management Service (KMS) with automated key rotation. Inbound files are verified via hash checks and malware scans before acceptance, and outbound transfers are performed using secure file transfer protocols (e.g., SFTP over SSH with ephemeral keys) managed by a secrets management solution like HashiCorp Vault.
Traffic Management:
Shade employs load balancers and ingress controllers that terminate TLS 1.2+ connections at the network edge, enforcing strict cipher suites and certificate pinning. This secure termination point integrates a Web Application Firewall (WAF) to mitigate malicious traffic and DDoS attacks. From there, traffic is routed only to authorized backend services, ensuring that requests destined for a particular client’s resources cannot be intercepted or redirected to another tenant’s environment.
Private Network Access:
Certain environment segments are placed behind private Virtual Private Cloud (VPC) boundaries and firewall rules that restrict access to internal endpoints. Sensitive operations, such as database queries or indexing tasks, occur within these private networks. Access is further limited to approved IP ranges, VPN connections, and secure bastion hosts. This layered isolation ensures that only authenticated, authorized administrators and services can interact with sensitive infrastructure.
Disaster Recovery Practices:
Backups occur regularly and are stored in separate, encrypted environments on systems like Backblaze B2. Each client’s backup data remains logically segregated, with restoration processes carefully controlled to prevent cross-client data exposure. Disaster recovery testing is scheduled on a quarterly basis to ensure that failovers maintain data isolation and that restored data is free of corruption or unauthorized modifications.