Trust Centre
Contact Security Contact Us

Security at Confidion Sentry

Confidion Sentry is an advanced OSINT platform that provides comprehensive intelligence gathering, threat monitoring, and data analysis capabilities. We take the security and privacy of our customers' data extremely seriously and are committed to safeguarding it with industry-leading practices.

This page outlines the high-level details for the frameworks, regulations, and certifications that apply to our company and products. You can also contact us with specific questions or to request access to detailed documentation.

support@confidion.com Privacy Policy

Security is Essential to Confidion Sentry

At Confidion, we take the security and privacy of our customers' data extremely seriously. We understand that our customers trust us with sensitive intelligence data and we are committed to safeguarding it.

Our commitment to security and privacy is an ongoing effort, and we are constantly working to improve our systems and processes. We believe that our customers deserve nothing less than the highest level of security and privacy, and we will continue to make it our top priority.

Compliance

Frameworks and standards we align with and are working towards.

SOC 2 Type II

AICPA Trust Service Criteria

In Progress
100% implemented

NIST CSF 2.0

Cybersecurity Framework

Aligned
100% aligned

CIS Critical Security Controls

v8.1 Implementation

In Progress
100% implemented

OWASP Top 10

Web Application Security

Active
100% covered

Cloud Infrastructure

Our platform infrastructure is hosted with enterprise-grade cloud providers that maintain SOC 2 Type II, ISO 27001, and PCI DSS certifications. All data is encrypted in transit (TLS 1.2+) and sensitive data is encrypted at rest using AES-256-GCM.

Data Types Collected

User Name & Email
OSINT Intelligence Data
Billing Information
Search Queries & Results
Audit & Activity Logs

Policies & Standards

Our documented security policies aligned with SOC 2 Trust Service Criteria.

Information Security Policy

Defense-in-depth principles, access control, secure development practices, and infrastructure hardening standards.

Policy · CC1.1, CC6.1

Incident Response Plan

SEV-1 through SEV-4 severity classification, 5-phase response process, evidence preservation, and stakeholder communication procedures.

Policy · CC7.3, CC7.4

Data Classification & Retention Policy

Four-level classification (Restricted, Confidential, Internal, Public), data inventory mapping, retention periods, and data subject rights.

Policy · CC6.5, P5.1

Change Management Policy

Standard, Normal, and Emergency change types with peer review requirements, pre-deployment checklists, and rollback procedures.

Policy · CC8.1

Business Continuity & DR Plan

99.5% uptime SLA, RPO of 4 hours, RTO of 2 hours, backup procedures, and disaster recovery scenarios.

Policy · A1.2, A1.3

Vendor Risk Management Policy

Four-tier vendor classification, onboarding security assessments, contractual requirements, and ongoing monitoring procedures.

Policy · CC9.1, CC9.2

Access Control Policy

User provisioning and deprovisioning, quarterly access reviews, RBAC roles, MFA requirements, and emergency revocation procedures.

Policy · CC6.1, CC6.3, CC6.4

Acceptable Use Policy

Personnel and platform user conduct expectations, OSINT-specific ethics, prohibited activities, and enforcement procedures.

Policy · CC1.3, CC1.4

Risk Assessment Policy

Documented risk assessment methodology, likelihood/impact scoring, fraud risk assessment, and threat identification procedures.

Policy · CC3.1, CC3.2, CC3.3

Data Protection Policy

Encryption controls, data subject rights with per-jurisdiction response timelines, breach notification, and third-party data sharing rules.

Policy · C1.1, P1.1, P8.1

Asset Management Policy

Asset lifecycle management, cryptographic key inventory, software dependency tracking, and decommissioning procedures.

Policy · CC6.5, CC6.8

Security Documentation

Additional security resources and assessments.

SOC 2 Compliance Checklist

Comprehensive readiness assessment covering all five Trust Service Criteria with gap analysis and 16-week remediation roadmap.

Assessment

Zero Trust Security Plan

UX-first approach to zero trust architecture covering identity, authorization, encryption, monitoring, and infrastructure hardening.

Architecture

Security Review Report

Comprehensive security assessment with identified findings, risk ratings, and prioritized remediation timeline.

Assessment

Security Controls

Technical and organizational controls protecting our platform and your data. 47 of 47 controls implemented.

Authentication & Identity 9 controls

Argon2id password hashing with bcrypt fallback Implemented
TOTP-based Multi-Factor Authentication (RFC 6238) Implemented
MFA backup codes for account recovery Implemented
Strong password policy (12+ chars, complexity requirements) Implemented
Session fingerprinting and idle timeout (30 min) Implemented
Maximum 5 concurrent sessions per user Implemented
Trusted device management (30-day device cookies) Implemented
Role-based access control (viewer, analyst, admin, super_admin) Implemented
Account lockout after repeated failed attempts Implemented

Data Protection & Encryption 7 controls

AES-256-GCM encryption for API keys and secrets Implemented
Encrypted email storage with searchable blind indexes Implemented
TLS 1.2+ enforced for all data in transit Implemented
CSRF token generation and validation on all forms Implemented
Encrypted entity profile data at rest (AES-256-GCM) Implemented
Full PII encryption at rest (application-level) Implemented
Automated encryption key rotation Implemented

Application Security 8 controls

Prepared statements for all database queries (SQL injection prevention) Implemented
Input validation and output encoding (XSS prevention) Implemented
Centralized security bootstrap for all request paths Implemented
Content Security Policy (CSP) headers Implemented
HSTS with preload, X-Frame-Options, X-Content-Type-Options Implemented
Secure cookie configuration (HttpOnly, Secure, SameSite=Strict) Implemented
Log injection prevention (sanitized X-Request-ID) Implemented
Automated security testing (SAST/DAST) in CI/CD Implemented

Rate Limiting & Abuse Prevention 5 controls

Login rate limiting (5 attempts / 5 minutes per IP) Implemented
API rate limiting (100 requests / minute) Implemented
Registration rate limiting (5 attempts / hour) Implemented
IP blocklist with auto-expiration Implemented
Search query sanitization and length limits Implemented

Monitoring & Logging 6 controls

Security audit logging with risk scoring Implemented
Request tracing with unique X-Request-ID headers Implemented
Slow request logging (>2s threshold) Implemented
Admin security dashboard for audit log review Implemented
Security alerts with severity classification Implemented
Anomaly detection and real-time alerting Implemented

Organizational Security 6 controls

Documented incident response plan (SEV-1 through SEV-4) Implemented
Change management policy (standard, normal, emergency changes) Implemented
Data classification and retention policy Implemented
Vendor risk management with three-tier classification Implemented
Business continuity and disaster recovery plan Implemented
Admin access review and user management controls Implemented

Infrastructure Security 6 controls

Environment-based configuration (no hardcoded secrets) Implemented
Production error suppression (no information disclosure) Implemented
Database backups (daily full + continuous incremental) Implemented
MariaDB with strict SQL mode and parameterized queries Implemented
Web Application Firewall (WAF) rules Implemented
Database user privilege separation Implemented

Subprocessors

Third-party service providers that process data on our behalf. Currently 8 active subprocessors.

Vendor Service Data Shared Location Risk Tier
Stripe
Payment Processor
 Payment processing & subscription billing Customer email, billing details, subscription data USA Tier 1 — Critical
Anthropic (Claude)
AI Analysis Engine
 AI-powered intelligence analysis Search queries, OSINT content for analysis USA Tier 1 — Critical
Hosting Provider
Cloud Infrastructure
 Server infrastructure & hosting All platform data Canada Tier 1 — Critical
SMTP2Go
Email Delivery
 Transactional email delivery Recipient email addresses, email content New Zealand Tier 2 — Important
Google Custom Search
Search API
 Web search results via Google CSE Search queries USA Tier 2 — Important
NewsAPI / GNews / Mediastack
News Data Feeds
 Real-time news aggregation Search queries, topic keywords Various Tier 2 — Important
USGS / EMSC / IRIS
Environmental Sensors
 Earthquake and seismic data feeds Geographic query parameters USA / EU Tier 3 — Standard
Google Fonts
Web Fonts CDN
 Font delivery (CDN) User IP addresses (via browser request) USA Tier 3 — Standard

Frequently Asked Questions

Do you encrypt data in transit and at rest?

Yes. All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest — including API keys, MFA secrets, and user PII (email addresses, phone numbers) — is encrypted using AES-256-GCM with per-field blind indexes for secure lookups. Passwords are hashed using Argon2id with bcrypt as a fallback. Encryption keys are managed via environment variables with documented rotation procedures.

Do you support Multi-Factor Authentication (MFA)?

Yes. We support TOTP-based Multi-Factor Authentication compliant with RFC 6238. Users can enable MFA from their account settings and are provided with backup codes for account recovery. We also support "trusted device" functionality so users don't need to re-enter MFA codes on recognized devices for 30 days.

What compliance frameworks do you follow?

We are actively working towards SOC 2 Type II certification and align our security practices with NIST CSF 2.0, CIS Critical Security Controls v8.1, and OWASP Top 10. Our policies cover the five SOC 2 Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

How do you handle security incidents?

We maintain a formal Incident Response Plan with four severity levels (SEV-1 through SEV-4). SEV-1 incidents (active breaches) trigger a 15-minute response with all-hands mobilization. Our five-phase process covers Detection, Containment (30 min target), Eradication, Recovery, and Post-Incident Review (within 5 business days). Affected customers are notified within 72 hours of a confirmed breach.

How do you manage third-party vendor risk?

All vendors are classified into four risk tiers. Tier 1 (Critical) vendors — those processing sensitive data or hosting infrastructure — must provide SOC 2 Type II reports, data processing agreements, and undergo annual security reviews. Tier 2 (High) vendors require SOC 2 or equivalent with annual reviews. Tier 3 (Medium) vendors undergo basic security review biennially. All vendor contracts include breach notification clauses and data deletion upon termination.

What is your data retention policy?

We follow a four-level data classification system (Restricted, Confidential, Internal, Public) with defined retention periods for each data type. Rate limit data is retained for 24 hours, session data for 24 hours after expiry, audit logs for 1 year, and user account data for the duration of the account plus 30 days after deletion. We support data subject access requests (DSAR), correction, erasure, and portability.

How can I report a potential security issue?

If you discover a potential security vulnerability, please report it to support@confidion.com. We take all reports seriously and will acknowledge receipt within 24 hours. We ask that you give us reasonable time to investigate and address the issue before any public disclosure.

What uptime SLA do you offer?

Our Business Continuity Plan targets 99.5% uptime (approximately 3.6 hours of allowable downtime per month). Our Recovery Point Objective (RPO) is 4 hours and Recovery Time Objective (RTO) is 2 hours. We perform daily full database backups stored on Backblaze B2 with continuous incremental backups, monthly backup restoration verification, and annual full disaster recovery drills.

Security Updates

Recent security improvements, compliance milestones, and advisories.

Infrastructure March 2026

Trust Centre Auto-Update System

Controls, subprocessors, and security updates on the Trust Centre page are now dynamically sourced from the database, ensuring the page stays current as the platform evolves.

Compliance March 2026

Trust Centre Launch

Launched our public Trust Centre, providing transparency into our security posture, compliance efforts, and data handling practices. This page is dynamically updated as we progress towards SOC 2 Type II certification.

Security February 2026

PII Field Encryption Service

Implemented FieldEncryptionService providing application-level encryption for PII fields with searchable blind indexes (HMAC-SHA256), supporting SOC 2 CC6.7 and C1.2 criteria.

Security February 2026

Entity Profile Encryption

Extended application-level AES-256-GCM encryption to entity profile data, adding encrypted storage with automatic encrypt/decrypt on read and write operations.

Security February 2026

Comprehensive Security Assessment

Completed an internal security review identifying areas for improvement across authentication, authorization, data protection, and infrastructure. A prioritized remediation plan has been established and is actively being executed.

Infrastructure February 2026

Security Headers & Rate Limiting

Implemented comprehensive security headers (HSTS with preload, CSP, X-Frame-Options, Referrer-Policy), rate limiting across login, registration, and API endpoints, and IP blocklist with auto-expiration.

Security February 2026

MFA & Encryption Enhancements

Deployed TOTP-based Multi-Factor Authentication with backup codes, AES-256-GCM encryption for API keys and secrets, encrypted email storage with blind indexes, and enhanced session security with fingerprinting and idle timeouts.

Security February 2026

Zero Trust Security Architecture Plan

Published a comprehensive Zero Trust Security Plan covering identity hardening, per-request authorization, end-to-end encryption, continuous monitoring, and infrastructure hardening with a 12-week implementation roadmap.

Compliance February 2026

SOC 2 Policy Framework Established

Six comprehensive security policies documented covering Information Security, Incident Response, Data Classification & Retention, Change Management, Business Continuity & DR, and Vendor Risk Management — aligned with SOC 2 Trust Service Criteria.