Security at Confidion Sentry

This page outlines the high-level details for the frameworks, regulations, and certifications that apply to our company and products. You can also contact us with specific questions or to request access to detailed documentation.

Security is Essential to Confidion Sentry

At Confidion, we take the security and privacy of our customers' data extremely seriously. We understand that our customers trust us with sensitive intelligence data and we are committed to safeguarding it.

Our commitment to security and privacy is an ongoing effort, and we are constantly working to improve our systems and processes. We believe that our customers deserve nothing less than the highest level of security and privacy, and we will continue to make it our top priority.

Compliance

Frameworks and standards we align with and are working towards.

Cloud Infrastructure

Our platform is hosted on Amazon Web Services in the Canada (Central) region (ca-central-1) — an AWS data centre assessed for Government of Canada Protected B workloads — so your data is resident in Canada. AWS maintains SOC 2 Type II, ISO 27001, and PCI DSS certifications for this infrastructure. All data is encrypted in transit (TLS 1.2+) and sensitive data is encrypted at rest using AES-256-GCM. Our Collector Agent ingestion pipeline uses hybrid encryption (X25519 ECDH key exchange + AES-256-GCM) for end-to-end protection of user-submitted files.

Data Types Collected

Policies & Standards

Our documented security policies aligned with SOC 2 Trust Service Criteria.

Security Documentation

Additional security resources and assessments.

Security Controls

Technical and organizational controls protecting our platform and your data. 47 of 47 controls implemented.

Authentication & Identity 9 controls

• Argon2id password hashing with bcrypt fallback Implemented
• TOTP-based Multi-Factor Authentication (RFC 6238) Implemented
• MFA backup codes for account recovery Implemented
• Strong password policy (12+ chars, complexity requirements) Implemented
• Session fingerprinting + user-configurable idle timeout (30 min – 12 h, default 8 h) Implemented
• Maximum 5 concurrent sessions per user Implemented
• Trusted device management (30-day device cookies) Implemented
• Role-based access control (viewer, analyst, admin, super_admin) Implemented
• Account lockout after repeated failed attempts Implemented

Data Protection & Encryption 7 controls

• AES-256-GCM encryption for API keys and secrets Implemented
• Encrypted email storage with searchable blind indexes Implemented
• TLS 1.2+ enforced for all data in transit Implemented
• CSRF token generation and validation on all forms Implemented
• Encrypted entity profile data at rest (AES-256-GCM) Implemented
• Full PII encryption at rest (application-level) Implemented
• Automated encryption key rotation Implemented

Application Security 8 controls

• Prepared statements for all database queries (SQL injection prevention) Implemented
• Input validation and output encoding (XSS prevention) Implemented
• Centralized security bootstrap for all request paths Implemented
• Content Security Policy (CSP) headers Implemented
• HSTS with preload, X-Frame-Options, X-Content-Type-Options Implemented
• Secure cookie configuration (HttpOnly, Secure, SameSite=Strict) Implemented
• Log injection prevention (sanitized X-Request-ID) Implemented
• Automated security testing (SAST/DAST) in CI/CD Implemented

Rate Limiting & Abuse Prevention 5 controls

• Login rate limiting (5 attempts / 5 minutes per IP) Implemented
• API rate limiting (100 requests / minute) Implemented
• Registration rate limiting (5 attempts / hour) Implemented
• IP blocklist with auto-expiration Implemented
• Search query sanitization and length limits Implemented

Monitoring & Logging 6 controls

• Security audit logging with risk scoring Implemented
• Request tracing with unique X-Request-ID headers Implemented
• Slow request logging (>2s threshold) Implemented
• Admin security dashboard for audit log review Implemented
• Security alerts with severity classification Implemented
• Anomaly detection and real-time alerting Implemented

Organizational Security 6 controls

• Documented incident response plan (SEV-1 through SEV-4) Implemented
• Change management policy (standard, normal, emergency changes) Implemented
• Data classification and retention policy Implemented
• Vendor risk management with three-tier classification Implemented
• Business continuity and disaster recovery plan Implemented
• Admin access review and user management controls Implemented

Infrastructure Security 6 controls

• Environment-based configuration (no hardcoded secrets) Implemented
• Production error suppression (no information disclosure) Implemented
• Database backups (daily full + continuous incremental) Implemented
• MariaDB with strict SQL mode and parameterized queries Implemented
• Web Application Firewall (WAF) rules Implemented
• Database user privilege separation Implemented

Subprocessors

Third-party service providers that process data on our behalf. Currently 13 active subprocessors.

Frequently Asked Questions

Do you encrypt data in transit and at rest?

Yes. All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest — including API keys, MFA secrets, and user PII (email addresses, phone numbers) — is encrypted using AES-256-GCM with per-field blind indexes for secure lookups. Passwords are hashed using Argon2id with bcrypt as a fallback. Our Collector Agent uses hybrid encryption (X25519 ECDH key exchange + AES-256-GCM) for end-to-end file protection. Encryption keys are managed via environment variables with documented rotation procedures per our Cryptographic Key Management Policy.

Do you support Multi-Factor Authentication (MFA)?

Yes. We support TOTP-based Multi-Factor Authentication compliant with RFC 6238. Users can enable MFA from their account settings and are provided with backup codes for account recovery. We also support "trusted device" functionality so users don't need to re-enter MFA codes on recognized devices for 30 days.

What compliance frameworks do you follow?

We are actively working towards SOC 2 Type II certification and align our security practices with NIST CSF 2.0, CIS Critical Security Controls v8.1, and OWASP Top 10. Our policies cover the five SOC 2 Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

How do you handle security incidents?

We maintain a formal Incident Response Plan with four severity levels (SEV-1 through SEV-4). SEV-1 incidents (active breaches) trigger a 15-minute response with all-hands mobilization. Our five-phase process covers Detection, Containment (30 min target), Eradication, Recovery, and Post-Incident Review (within 5 business days). Affected customers are notified within 72 hours of a confirmed breach.

How do you manage third-party vendor risk?

All vendors are classified into four risk tiers. Tier 1 (Critical) vendors — those processing sensitive data or hosting infrastructure — must provide SOC 2 Type II reports, data processing agreements, and undergo annual security reviews. Tier 2 (High) vendors require SOC 2 or equivalent with annual reviews. Tier 3 (Medium) vendors undergo basic security review biennially. All vendor contracts include breach notification clauses and data deletion upon termination.

What is your data retention policy?

We follow a four-level data classification system (Restricted, Confidential, Internal, Public) with defined retention periods for each data type. Rate limit data is retained for 24 hours, session data for 24 hours after expiry, audit logs for 1 year, and user account data for the duration of the account plus 30 days after deletion. We support data subject access requests (DSAR), correction, erasure, and portability.

How can I report a potential security issue?

If you discover a potential security vulnerability, please report it to support@confidion.com. We take all reports seriously and will acknowledge receipt within 24 hours. We ask that you give us reasonable time to investigate and address the issue before any public disclosure.

What uptime SLA do you offer?

Our Business Continuity Plan targets 99.5% uptime (approximately 3.6 hours of allowable downtime per month). Our Recovery Point Objective (RPO) is 4 hours and Recovery Time Objective (RTO) is 2 hours. We perform daily encrypted database backups to Amazon S3 (ca-central-1, isolated to a private bucket with public access blocked, server-side encrypted with a customer-managed AWS KMS key) with versioning enabled and a 30-day retention lifecycle. Backups include the application secrets file alongside the database dump so encrypted-at-rest fields remain restorable. Each upload includes a SHA-256 sidecar for integrity verification, and we run periodic backup restoration tests and full disaster recovery drills.

What is the Collector Agent and how is data secured?

The Collector Agent is optional software you install on your own machines to securely send local files (reports, logs, spreadsheets) to Sentry for analysis. Files are encrypted end-to-end using hybrid encryption: X25519 ECDH key exchange negotiates a shared secret, then AES-256-GCM encrypts each file before it leaves your machine. Every agent must be registered and explicitly approved by an administrator before it can transmit data. API keys are unique per agent and bcrypt-hashed on the server. Encryption keys can be rotated at any time.

How does the AI/NLP analysis work and what data is shared?

Our platform uses AI-powered analysis (via Microsoft Azure OpenAI, hosted in Canada), natural language processing (NLP), and our own proprietary data collection and processing systems to generate sentiment scores, entity extraction, threat indicators, and trending keyword analysis on your OSINT data. Analysis is triggered manually by the user — never automatically. Only the specific search results or feed items you choose to analyze are sent to AI providers. All AI-generated outputs (threat scores, sentiment, entity tags) are clearly labeled as machine-generated. Our AI Governance Policy defines human review requirements, bias assessment procedures, and transparency standards.

How is team data isolated?

Confidion Sentry enforces strict team-level data isolation. Searches, entity profiles, data feeds, crawlers, and collector data are scoped to your team (account). Users on one team cannot see or access another team's data. Granular team permissions allow team owners to control what members can do, including content blocking policies. All cross-team boundaries are enforced at the database query level and verified by our Multi-Tenancy Security Policy.

Security Updates

Recent security improvements, compliance milestones, and advisories.

Trust Centre Auto-Update System

Infrastructure · March 2026

Controls, subprocessors, and security updates on the Trust Centre page are now dynamically sourced from the database, ensuring the page stays current as the platform evolves.

Trust Centre Launch

Compliance · March 2026

Launched our public Trust Centre, providing transparency into our security posture, compliance efforts, and data handling practices. This page is dynamically updated as we progress towards SOC 2 Type II certification.

Trust Centre Auto-Update System

Infrastructure · March 2026

Controls, subprocessors, and security updates on the Trust Centre page are now dynamically sourced from the database, ensuring the page stays current as the platform evolves.

Trust Centre Launch

Compliance · March 2026

Launched our public Trust Centre, providing transparency into our security posture, compliance efforts, and data handling practices. This page is dynamically updated as we progress towards SOC 2 Type II certification.

Trust Centre Auto-Update System

Infrastructure · March 2026

Controls, subprocessors, and security updates on the Trust Centre page are now dynamically sourced from the database, ensuring the page stays current as the platform evolves.

Trust Centre Launch

Compliance · March 2026

Launched our public Trust Centre, providing transparency into our security posture, compliance efforts, and data handling practices. This page is dynamically updated as we progress towards SOC 2 Type II certification.

Trust Centre Auto-Update System

Infrastructure · March 2026

Controls, subprocessors, and security updates on the Trust Centre page are now dynamically sourced from the database, ensuring the page stays current as the platform evolves.

Trust Centre Launch

Compliance · March 2026

Launched our public Trust Centre, providing transparency into our security posture, compliance efforts, and data handling practices. This page is dynamically updated as we progress towards SOC 2 Type II certification.

PII Field Encryption Service

Security · February 2026

Implemented FieldEncryptionService providing application-level encryption for PII fields with searchable blind indexes (HMAC-SHA256), supporting SOC 2 CC6.7 and C1.2 criteria.

Entity Profile Encryption

Security · February 2026

Extended application-level AES-256-GCM encryption to entity profile data, adding encrypted storage with automatic encrypt/decrypt on read and write operations.

Comprehensive Security Assessment

Security · February 2026

Completed an internal security review identifying areas for improvement across authentication, authorization, data protection, and infrastructure. A prioritized remediation plan has been established and is actively being executed.

Security Headers & Rate Limiting

Infrastructure · February 2026

Implemented comprehensive security headers (HSTS with preload, CSP, X-Frame-Options, Referrer-Policy), rate limiting across login, registration, and API endpoints, and IP blocklist with auto-expiration.

MFA & Encryption Enhancements

Security · February 2026

Deployed TOTP-based Multi-Factor Authentication with backup codes, AES-256-GCM encryption for API keys and secrets, encrypted email storage with blind indexes, and enhanced session security with fingerprinting and idle timeouts.

Zero Trust Security Architecture Plan

Security · February 2026

Published a comprehensive Zero Trust Security Plan covering identity hardening, per-request authorization, end-to-end encryption, continuous monitoring, and infrastructure hardening with a 12-week implementation roadmap.

SOC 2 Policy Framework Established

Compliance · February 2026

Six comprehensive security policies documented covering Information Security, Incident Response, Data Classification & Retention, Change Management, Business Continuity & DR, and Vendor Risk Management — aligned with SOC 2 Trust Service Criteria.

PII Field Encryption Service

Security · February 2026

Implemented FieldEncryptionService providing application-level encryption for PII fields with searchable blind indexes (HMAC-SHA256), supporting SOC 2 CC6.7 and C1.2 criteria.

Entity Profile Encryption

Security · February 2026

Extended application-level AES-256-GCM encryption to entity profile data, adding encrypted storage with automatic encrypt/decrypt on read and write operations.

Comprehensive Security Assessment

Security · February 2026

Completed an internal security review identifying areas for improvement across authentication, authorization, data protection, and infrastructure. A prioritized remediation plan has been established and is actively being executed.

Security Headers & Rate Limiting

Infrastructure · February 2026

Implemented comprehensive security headers (HSTS with preload, CSP, X-Frame-Options, Referrer-Policy), rate limiting across login, registration, and API endpoints, and IP blocklist with auto-expiration.

MFA & Encryption Enhancements

Security · February 2026

Deployed TOTP-based Multi-Factor Authentication with backup codes, AES-256-GCM encryption for API keys and secrets, encrypted email storage with blind indexes, and enhanced session security with fingerprinting and idle timeouts.

Zero Trust Security Architecture Plan

Security · February 2026

Published a comprehensive Zero Trust Security Plan covering identity hardening, per-request authorization, end-to-end encryption, continuous monitoring, and infrastructure hardening with a 12-week implementation roadmap.

SOC 2 Policy Framework Established

Compliance · February 2026

Six comprehensive security policies documented covering Information Security, Incident Response, Data Classification & Retention, Change Management, Business Continuity & DR, and Vendor Risk Management — aligned with SOC 2 Trust Service Criteria.

PII Field Encryption Service

Security · February 2026

Implemented FieldEncryptionService providing application-level encryption for PII fields with searchable blind indexes (HMAC-SHA256), supporting SOC 2 CC6.7 and C1.2 criteria.

Entity Profile Encryption

Security · February 2026

Extended application-level AES-256-GCM encryption to entity profile data, adding encrypted storage with automatic encrypt/decrypt on read and write operations.

Comprehensive Security Assessment

Security · February 2026

Completed an internal security review identifying areas for improvement across authentication, authorization, data protection, and infrastructure. A prioritized remediation plan has been established and is actively being executed.

Security Headers & Rate Limiting

Infrastructure · February 2026

Implemented comprehensive security headers (HSTS with preload, CSP, X-Frame-Options, Referrer-Policy), rate limiting across login, registration, and API endpoints, and IP blocklist with auto-expiration.

MFA & Encryption Enhancements

Security · February 2026

Deployed TOTP-based Multi-Factor Authentication with backup codes, AES-256-GCM encryption for API keys and secrets, encrypted email storage with blind indexes, and enhanced session security with fingerprinting and idle timeouts.

Zero Trust Security Architecture Plan

Security · February 2026

Published a comprehensive Zero Trust Security Plan covering identity hardening, per-request authorization, end-to-end encryption, continuous monitoring, and infrastructure hardening with a 12-week implementation roadmap.

SOC 2 Policy Framework Established

Compliance · February 2026

Six comprehensive security policies documented covering Information Security, Incident Response, Data Classification & Retention, Change Management, Business Continuity & DR, and Vendor Risk Management — aligned with SOC 2 Trust Service Criteria.

PII Field Encryption Service

Security · February 2026

Implemented FieldEncryptionService providing application-level encryption for PII fields with searchable blind indexes (HMAC-SHA256), supporting SOC 2 CC6.7 and C1.2 criteria.

Entity Profile Encryption

Security · February 2026

Extended application-level AES-256-GCM encryption to entity profile data, adding encrypted storage with automatic encrypt/decrypt on read and write operations.

Comprehensive Security Assessment

Security · February 2026

Completed an internal security review identifying areas for improvement across authentication, authorization, data protection, and infrastructure. A prioritized remediation plan has been established and is actively being executed.

Security Headers & Rate Limiting

Infrastructure · February 2026

Implemented comprehensive security headers (HSTS with preload, CSP, X-Frame-Options, Referrer-Policy), rate limiting across login, registration, and API endpoints, and IP blocklist with auto-expiration.

MFA & Encryption Enhancements

Security · February 2026

Deployed TOTP-based Multi-Factor Authentication with backup codes, AES-256-GCM encryption for API keys and secrets, encrypted email storage with blind indexes, and enhanced session security with fingerprinting and idle timeouts.

Zero Trust Security Architecture Plan

Security · February 2026

Published a comprehensive Zero Trust Security Plan covering identity hardening, per-request authorization, end-to-end encryption, continuous monitoring, and infrastructure hardening with a 12-week implementation roadmap.

SOC 2 Policy Framework Established

Compliance · February 2026

Six comprehensive security policies documented covering Information Security, Incident Response, Data Classification & Retention, Change Management, Business Continuity & DR, and Vendor Risk Management — aligned with SOC 2 Trust Service Criteria.