Trust Centre
Contact Security Contact Us

Security at Confidion Sentry

Confidion Sentry is an advanced OSINT platform that provides comprehensive intelligence gathering, threat monitoring, and data analysis capabilities. We take the security and privacy of our customers' data extremely seriously and are committed to safeguarding it with industry-leading practices.

This page outlines the high-level details for the frameworks, regulations, and certifications that apply to our company and products. You can also contact us with specific questions or to request access to detailed documentation.

support@confidion.com Privacy Policy

Security is Essential to Confidion Sentry

At Confidion, we take the security and privacy of our customers' data extremely seriously. We understand that our customers trust us with sensitive intelligence data and we are committed to safeguarding it.

Our commitment to security and privacy is an ongoing effort, and we are constantly working to improve our systems and processes. We believe that our customers deserve nothing less than the highest level of security and privacy, and we will continue to make it our top priority.

Compliance

Frameworks and standards we align with and are working towards.

SOC 2 Type II

AICPA Trust Service Criteria

In Progress
100% implemented

NIST CSF 2.0

Cybersecurity Framework

Aligned
100% aligned

CIS Critical Security Controls

v8.1 Implementation

In Progress
100% implemented

OWASP Top 10

Web Application Security

Active
100% covered

Cloud Infrastructure

Our platform infrastructure is hosted with enterprise-grade cloud providers that maintain SOC 2 Type II, ISO 27001, and PCI DSS certifications. All data is encrypted in transit (TLS 1.2+) and sensitive data is encrypted at rest using AES-256-GCM. Our Collector Agent ingestion pipeline uses hybrid encryption (X25519 ECDH key exchange + AES-256-GCM) for end-to-end protection of user-submitted files.

Data Types Collected

User Name & Email
OSINT Intelligence Data
Billing Information
Search Queries & Results
Audit & Activity Logs
Collector-Ingested Files
AI/NLP Analysis Outputs

Policies & Standards

Our documented security policies aligned with SOC 2 Trust Service Criteria.

Information Security Policy

Defense-in-depth principles, access control, secure development practices, and infrastructure hardening standards.

Policy · CC1.1, CC6.1

Incident Response Plan

SEV-1 through SEV-4 severity classification, 5-phase response process, evidence preservation, and stakeholder communication procedures.

Policy · CC7.3, CC7.4

Data Classification & Retention Policy

Four-level classification (Restricted, Confidential, Internal, Public), data inventory mapping, retention periods, and data subject rights.

Policy · CC6.5, P5.1

Change Management Policy

Standard, Normal, and Emergency change types with peer review requirements, pre-deployment checklists, and rollback procedures.

Policy · CC8.1

Business Continuity & DR Plan

99.5% uptime SLA, RPO of 4 hours, RTO of 2 hours, backup procedures, and disaster recovery scenarios.

Policy · A1.2, A1.3

Vendor Risk Management Policy

Four-tier vendor classification, onboarding security assessments, contractual requirements, and ongoing monitoring procedures.

Policy · CC9.1, CC9.2

Access Control Policy

User provisioning and deprovisioning, quarterly access reviews, RBAC roles, MFA requirements, and emergency revocation procedures.

Policy · CC6.1, CC6.3, CC6.4

Acceptable Use Policy

Personnel and platform user conduct expectations, OSINT-specific ethics, prohibited activities, and enforcement procedures.

Policy · CC1.3, CC1.4

Risk Assessment Policy

Documented risk assessment methodology, likelihood/impact scoring, fraud risk assessment, and threat identification procedures.

Policy · CC3.1, CC3.2, CC3.3

Data Protection Policy

Encryption controls, data subject rights with per-jurisdiction response timelines, breach notification, and third-party data sharing rules.

Policy · C1.1, P1.1, P8.1

Asset Management Policy

Asset lifecycle management, cryptographic key inventory, software dependency tracking, and decommissioning procedures.

Policy · CC6.5, CC6.8

Collector Agent Security Policy

End-to-end encrypted file ingestion, agent registration and approval workflow, hybrid key exchange, and compromise response procedures.

Policy · CC6.1, CC6.7

Data Ingestion Security Policy

Input validation, source authentication, malware scanning, rate limiting, and data lineage tracking for all external data pathways.

Policy · CC6.6, PI1.1

Cryptographic Key Management Policy

Key generation standards, lifecycle management, rotation procedures, backup and escrow, and compromise response for all cryptographic material.

Policy · CC6.1, CC6.7

AI Governance Policy

Responsible AI principles, model transparency, bias assessment, human review requirements, and AI output disclaimer standards.

Policy · CC1.1, PI1.1

Multi-Tenancy Security Policy

Team data isolation, permission boundaries, cross-team access controls, and tenant lifecycle management procedures.

Policy · CC6.1, CC6.3

Security Documentation

Additional security resources and assessments.

SOC 2 Compliance Checklist

Comprehensive readiness assessment covering all five Trust Service Criteria with gap analysis and 16-week remediation roadmap.

Assessment

Zero Trust Security Plan

UX-first approach to zero trust architecture covering identity, authorization, encryption, monitoring, and infrastructure hardening.

Architecture

Security Review Report

Comprehensive security assessment with identified findings, risk ratings, and prioritized remediation timeline.

Assessment

Data Protection Impact Assessment

GDPR Article 35 assessment covering OSINT profiling, AI-generated analysis, automated decision-making, and data subject rights.

Assessment

Security Controls

Technical and organizational controls protecting our platform and your data. 235 of 235 controls implemented.

Authentication & Identity 45 controls

Argon2id password hashing with bcrypt fallback Implemented
Argon2id password hashing with bcrypt fallback Implemented
Argon2id password hashing with bcrypt fallback Implemented
Argon2id password hashing with bcrypt fallback Implemented
Argon2id password hashing with bcrypt fallback Implemented
TOTP-based Multi-Factor Authentication (RFC 6238) Implemented
TOTP-based Multi-Factor Authentication (RFC 6238) Implemented
TOTP-based Multi-Factor Authentication (RFC 6238) Implemented
TOTP-based Multi-Factor Authentication (RFC 6238) Implemented
TOTP-based Multi-Factor Authentication (RFC 6238) Implemented
MFA backup codes for account recovery Implemented
MFA backup codes for account recovery Implemented
MFA backup codes for account recovery Implemented
MFA backup codes for account recovery Implemented
MFA backup codes for account recovery Implemented
Strong password policy (12+ chars, complexity requirements) Implemented
Strong password policy (12+ chars, complexity requirements) Implemented
Strong password policy (12+ chars, complexity requirements) Implemented
Strong password policy (12+ chars, complexity requirements) Implemented
Strong password policy (12+ chars, complexity requirements) Implemented
Session fingerprinting and idle timeout (30 min) Implemented
Session fingerprinting and idle timeout (30 min) Implemented
Session fingerprinting and idle timeout (30 min) Implemented
Session fingerprinting and idle timeout (30 min) Implemented
Session fingerprinting and idle timeout (30 min) Implemented
Maximum 5 concurrent sessions per user Implemented
Maximum 5 concurrent sessions per user Implemented
Maximum 5 concurrent sessions per user Implemented
Maximum 5 concurrent sessions per user Implemented
Maximum 5 concurrent sessions per user Implemented
Trusted device management (30-day device cookies) Implemented
Trusted device management (30-day device cookies) Implemented
Trusted device management (30-day device cookies) Implemented
Trusted device management (30-day device cookies) Implemented
Trusted device management (30-day device cookies) Implemented
Role-based access control (viewer, analyst, admin, super_admin) Implemented
Role-based access control (viewer, analyst, admin, super_admin) Implemented
Role-based access control (viewer, analyst, admin, super_admin) Implemented
Role-based access control (viewer, analyst, admin, super_admin) Implemented
Role-based access control (viewer, analyst, admin, super_admin) Implemented
Account lockout after repeated failed attempts Implemented
Account lockout after repeated failed attempts Implemented
Account lockout after repeated failed attempts Implemented
Account lockout after repeated failed attempts Implemented
Account lockout after repeated failed attempts Implemented

Data Protection & Encryption 35 controls

AES-256-GCM encryption for API keys and secrets Implemented
AES-256-GCM encryption for API keys and secrets Implemented
AES-256-GCM encryption for API keys and secrets Implemented
AES-256-GCM encryption for API keys and secrets Implemented
AES-256-GCM encryption for API keys and secrets Implemented
Encrypted email storage with searchable blind indexes Implemented
Encrypted email storage with searchable blind indexes Implemented
Encrypted email storage with searchable blind indexes Implemented
Encrypted email storage with searchable blind indexes Implemented
Encrypted email storage with searchable blind indexes Implemented
TLS 1.2+ enforced for all data in transit Implemented
TLS 1.2+ enforced for all data in transit Implemented
TLS 1.2+ enforced for all data in transit Implemented
TLS 1.2+ enforced for all data in transit Implemented
TLS 1.2+ enforced for all data in transit Implemented
CSRF token generation and validation on all forms Implemented
CSRF token generation and validation on all forms Implemented
CSRF token generation and validation on all forms Implemented
CSRF token generation and validation on all forms Implemented
CSRF token generation and validation on all forms Implemented
Encrypted entity profile data at rest (AES-256-GCM) Implemented
Encrypted entity profile data at rest (AES-256-GCM) Implemented
Encrypted entity profile data at rest (AES-256-GCM) Implemented
Encrypted entity profile data at rest (AES-256-GCM) Implemented
Encrypted entity profile data at rest (AES-256-GCM) Implemented
Full PII encryption at rest (application-level) Implemented
Full PII encryption at rest (application-level) Implemented
Full PII encryption at rest (application-level) Implemented
Full PII encryption at rest (application-level) Implemented
Full PII encryption at rest (application-level) Implemented
Automated encryption key rotation Implemented
Automated encryption key rotation Implemented
Automated encryption key rotation Implemented
Automated encryption key rotation Implemented
Automated encryption key rotation Implemented

Application Security 40 controls

Prepared statements for all database queries (SQL injection prevention) Implemented
Prepared statements for all database queries (SQL injection prevention) Implemented
Prepared statements for all database queries (SQL injection prevention) Implemented
Prepared statements for all database queries (SQL injection prevention) Implemented
Prepared statements for all database queries (SQL injection prevention) Implemented
Input validation and output encoding (XSS prevention) Implemented
Input validation and output encoding (XSS prevention) Implemented
Input validation and output encoding (XSS prevention) Implemented
Input validation and output encoding (XSS prevention) Implemented
Input validation and output encoding (XSS prevention) Implemented
Centralized security bootstrap for all request paths Implemented
Centralized security bootstrap for all request paths Implemented
Centralized security bootstrap for all request paths Implemented
Centralized security bootstrap for all request paths Implemented
Centralized security bootstrap for all request paths Implemented
Content Security Policy (CSP) headers Implemented
Content Security Policy (CSP) headers Implemented
Content Security Policy (CSP) headers Implemented
Content Security Policy (CSP) headers Implemented
Content Security Policy (CSP) headers Implemented
HSTS with preload, X-Frame-Options, X-Content-Type-Options Implemented
HSTS with preload, X-Frame-Options, X-Content-Type-Options Implemented
HSTS with preload, X-Frame-Options, X-Content-Type-Options Implemented
HSTS with preload, X-Frame-Options, X-Content-Type-Options Implemented
HSTS with preload, X-Frame-Options, X-Content-Type-Options Implemented
Secure cookie configuration (HttpOnly, Secure, SameSite=Strict) Implemented
Secure cookie configuration (HttpOnly, Secure, SameSite=Strict) Implemented
Secure cookie configuration (HttpOnly, Secure, SameSite=Strict) Implemented
Secure cookie configuration (HttpOnly, Secure, SameSite=Strict) Implemented
Secure cookie configuration (HttpOnly, Secure, SameSite=Strict) Implemented
Log injection prevention (sanitized X-Request-ID) Implemented
Log injection prevention (sanitized X-Request-ID) Implemented
Log injection prevention (sanitized X-Request-ID) Implemented
Log injection prevention (sanitized X-Request-ID) Implemented
Log injection prevention (sanitized X-Request-ID) Implemented
Automated security testing (SAST/DAST) in CI/CD Implemented
Automated security testing (SAST/DAST) in CI/CD Implemented
Automated security testing (SAST/DAST) in CI/CD Implemented
Automated security testing (SAST/DAST) in CI/CD Implemented
Automated security testing (SAST/DAST) in CI/CD Implemented

Rate Limiting & Abuse Prevention 25 controls

Login rate limiting (5 attempts / 5 minutes per IP) Implemented
Login rate limiting (5 attempts / 5 minutes per IP) Implemented
Login rate limiting (5 attempts / 5 minutes per IP) Implemented
Login rate limiting (5 attempts / 5 minutes per IP) Implemented
Login rate limiting (5 attempts / 5 minutes per IP) Implemented
API rate limiting (100 requests / minute) Implemented
API rate limiting (100 requests / minute) Implemented
API rate limiting (100 requests / minute) Implemented
API rate limiting (100 requests / minute) Implemented
API rate limiting (100 requests / minute) Implemented
Registration rate limiting (5 attempts / hour) Implemented
Registration rate limiting (5 attempts / hour) Implemented
Registration rate limiting (5 attempts / hour) Implemented
Registration rate limiting (5 attempts / hour) Implemented
Registration rate limiting (5 attempts / hour) Implemented
IP blocklist with auto-expiration Implemented
IP blocklist with auto-expiration Implemented
IP blocklist with auto-expiration Implemented
IP blocklist with auto-expiration Implemented
IP blocklist with auto-expiration Implemented
Search query sanitization and length limits Implemented
Search query sanitization and length limits Implemented
Search query sanitization and length limits Implemented
Search query sanitization and length limits Implemented
Search query sanitization and length limits Implemented

Monitoring & Logging 30 controls

Security audit logging with risk scoring Implemented
Security audit logging with risk scoring Implemented
Security audit logging with risk scoring Implemented
Security audit logging with risk scoring Implemented
Security audit logging with risk scoring Implemented
Request tracing with unique X-Request-ID headers Implemented
Request tracing with unique X-Request-ID headers Implemented
Request tracing with unique X-Request-ID headers Implemented
Request tracing with unique X-Request-ID headers Implemented
Request tracing with unique X-Request-ID headers Implemented
Slow request logging (>2s threshold) Implemented
Slow request logging (>2s threshold) Implemented
Slow request logging (>2s threshold) Implemented
Slow request logging (>2s threshold) Implemented
Slow request logging (>2s threshold) Implemented
Admin security dashboard for audit log review Implemented
Admin security dashboard for audit log review Implemented
Admin security dashboard for audit log review Implemented
Admin security dashboard for audit log review Implemented
Admin security dashboard for audit log review Implemented
Security alerts with severity classification Implemented
Security alerts with severity classification Implemented
Security alerts with severity classification Implemented
Security alerts with severity classification Implemented
Security alerts with severity classification Implemented
Anomaly detection and real-time alerting Implemented
Anomaly detection and real-time alerting Implemented
Anomaly detection and real-time alerting Implemented
Anomaly detection and real-time alerting Implemented
Anomaly detection and real-time alerting Implemented

Organizational Security 30 controls

Documented incident response plan (SEV-1 through SEV-4) Implemented
Documented incident response plan (SEV-1 through SEV-4) Implemented
Documented incident response plan (SEV-1 through SEV-4) Implemented
Documented incident response plan (SEV-1 through SEV-4) Implemented
Documented incident response plan (SEV-1 through SEV-4) Implemented
Change management policy (standard, normal, emergency changes) Implemented
Change management policy (standard, normal, emergency changes) Implemented
Change management policy (standard, normal, emergency changes) Implemented
Change management policy (standard, normal, emergency changes) Implemented
Change management policy (standard, normal, emergency changes) Implemented
Data classification and retention policy Implemented
Data classification and retention policy Implemented
Data classification and retention policy Implemented
Data classification and retention policy Implemented
Data classification and retention policy Implemented
Vendor risk management with three-tier classification Implemented
Vendor risk management with three-tier classification Implemented
Vendor risk management with three-tier classification Implemented
Vendor risk management with three-tier classification Implemented
Vendor risk management with three-tier classification Implemented
Business continuity and disaster recovery plan Implemented
Business continuity and disaster recovery plan Implemented
Business continuity and disaster recovery plan Implemented
Business continuity and disaster recovery plan Implemented
Business continuity and disaster recovery plan Implemented
Admin access review and user management controls Implemented
Admin access review and user management controls Implemented
Admin access review and user management controls Implemented
Admin access review and user management controls Implemented
Admin access review and user management controls Implemented

Infrastructure Security 30 controls

Environment-based configuration (no hardcoded secrets) Implemented
Environment-based configuration (no hardcoded secrets) Implemented
Environment-based configuration (no hardcoded secrets) Implemented
Environment-based configuration (no hardcoded secrets) Implemented
Environment-based configuration (no hardcoded secrets) Implemented
Production error suppression (no information disclosure) Implemented
Production error suppression (no information disclosure) Implemented
Production error suppression (no information disclosure) Implemented
Production error suppression (no information disclosure) Implemented
Production error suppression (no information disclosure) Implemented
Database backups (daily full + continuous incremental) Implemented
Database backups (daily full + continuous incremental) Implemented
Database backups (daily full + continuous incremental) Implemented
Database backups (daily full + continuous incremental) Implemented
Database backups (daily full + continuous incremental) Implemented
MariaDB with strict SQL mode and parameterized queries Implemented
MariaDB with strict SQL mode and parameterized queries Implemented
MariaDB with strict SQL mode and parameterized queries Implemented
MariaDB with strict SQL mode and parameterized queries Implemented
MariaDB with strict SQL mode and parameterized queries Implemented
Web Application Firewall (WAF) rules Implemented
Web Application Firewall (WAF) rules Implemented
Web Application Firewall (WAF) rules Implemented
Web Application Firewall (WAF) rules Implemented
Web Application Firewall (WAF) rules Implemented
Database user privilege separation Implemented
Database user privilege separation Implemented
Database user privilege separation Implemented
Database user privilege separation Implemented
Database user privilege separation Implemented

Subprocessors

Third-party service providers that process data on our behalf. Currently 11 active subprocessors.

Vendor Service Data Shared Location Risk Tier
Stripe
Payment Processor
 Payment processing & subscription billing Customer email, billing details, subscription data USA Tier 1 — Critical
Microsoft Azure OpenAI
AI Analysis Engine
 AI-powered analysis, embeddings & semantic deduplication Search queries, OSINT content for analysis Canada Tier 1 — Critical
Hosting Provider
Cloud Infrastructure
 Server infrastructure & hosting All platform data Canada Tier 1 — Critical
OpenWebNinja
OSINT Data Provider
 Multi-source OSINT API for email search, image search, business data, finance data & review aggregation Search queries, email addresses, entity identifiers USA Tier 1 — Critical
SMTP2Go
Email Delivery
 Transactional email delivery Recipient email addresses, email content New Zealand Tier 2 — Important
Twilio
SMS Gateway
 SMS provisioning & delivery for crowd-sourced intelligence submissions Phone numbers, SMS message content USA Tier 2 — Important
NewsAPI / GNews / Mediastack
News Data Feeds
 Real-time news aggregation Search queries, topic keywords Various Tier 2 — Important
USGS / EMSC / IRIS
Environmental Sensors
 Earthquake and seismic data feeds Geographic query parameters USA / EU Tier 3 — Standard
Google Fonts
Web Fonts CDN
 Font delivery (CDN) User IP addresses (via browser request) USA Tier 3 — Standard
DuckDuckGo
Web Search Engine
 Privacy-focused web search — no API key required Search queries USA Tier 3 — Standard
SANS ISC / OpenPhish / URLhaus / Cisco Talos / CISA
Threat Intelligence Feeds
 Free real-time threat intelligence feeds for IP reputation, phishing URLs, malware distribution & known exploited vulnerabilities IP addresses, threat indicator queries USA / EU Tier 3 — Standard

Frequently Asked Questions

Do you encrypt data in transit and at rest?

Yes. All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest — including API keys, MFA secrets, and user PII (email addresses, phone numbers) — is encrypted using AES-256-GCM with per-field blind indexes for secure lookups. Passwords are hashed using Argon2id with bcrypt as a fallback. Our Collector Agent uses hybrid encryption (X25519 ECDH key exchange + AES-256-GCM) for end-to-end file protection. Encryption keys are managed via environment variables with documented rotation procedures per our Cryptographic Key Management Policy.

Do you support Multi-Factor Authentication (MFA)?

Yes. We support TOTP-based Multi-Factor Authentication compliant with RFC 6238. Users can enable MFA from their account settings and are provided with backup codes for account recovery. We also support "trusted device" functionality so users don't need to re-enter MFA codes on recognized devices for 30 days.

What compliance frameworks do you follow?

We are actively working towards SOC 2 Type II certification and align our security practices with NIST CSF 2.0, CIS Critical Security Controls v8.1, and OWASP Top 10. Our policies cover the five SOC 2 Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

How do you handle security incidents?

We maintain a formal Incident Response Plan with four severity levels (SEV-1 through SEV-4). SEV-1 incidents (active breaches) trigger a 15-minute response with all-hands mobilization. Our five-phase process covers Detection, Containment (30 min target), Eradication, Recovery, and Post-Incident Review (within 5 business days). Affected customers are notified within 72 hours of a confirmed breach.

How do you manage third-party vendor risk?

All vendors are classified into four risk tiers. Tier 1 (Critical) vendors — those processing sensitive data or hosting infrastructure — must provide SOC 2 Type II reports, data processing agreements, and undergo annual security reviews. Tier 2 (High) vendors require SOC 2 or equivalent with annual reviews. Tier 3 (Medium) vendors undergo basic security review biennially. All vendor contracts include breach notification clauses and data deletion upon termination.

What is your data retention policy?

We follow a four-level data classification system (Restricted, Confidential, Internal, Public) with defined retention periods for each data type. Rate limit data is retained for 24 hours, session data for 24 hours after expiry, audit logs for 1 year, and user account data for the duration of the account plus 30 days after deletion. We support data subject access requests (DSAR), correction, erasure, and portability.

How can I report a potential security issue?

If you discover a potential security vulnerability, please report it to support@confidion.com. We take all reports seriously and will acknowledge receipt within 24 hours. We ask that you give us reasonable time to investigate and address the issue before any public disclosure.

What uptime SLA do you offer?

Our Business Continuity Plan targets 99.5% uptime (approximately 3.6 hours of allowable downtime per month). Our Recovery Point Objective (RPO) is 4 hours and Recovery Time Objective (RTO) is 2 hours. We perform daily encrypted database backups to Amazon S3 (ca-central-1, isolated to a private bucket with public access blocked, server-side encrypted with a customer-managed AWS KMS key) with versioning enabled and a 30-day retention lifecycle. Backups include the application secrets file alongside the database dump so encrypted-at-rest fields remain restorable. Each upload includes a SHA-256 sidecar for integrity verification, and we run periodic backup restoration tests and full disaster recovery drills.

What is the Collector Agent and how is data secured?

The Collector Agent is optional software you install on your own machines to securely send local files (reports, logs, spreadsheets) to Sentry for analysis. Files are encrypted end-to-end using hybrid encryption: X25519 ECDH key exchange negotiates a shared secret, then AES-256-GCM encrypts each file before it leaves your machine. Every agent must be registered and explicitly approved by an administrator before it can transmit data. API keys are unique per agent and bcrypt-hashed on the server. Encryption keys can be rotated at any time.

How does the AI/NLP analysis work and what data is shared?

Our platform uses AI-powered analysis (via Microsoft Azure OpenAI, hosted in Canada), natural language processing (NLP), and our own proprietary data collection and processing systems to generate sentiment scores, entity extraction, threat indicators, and trending keyword analysis on your OSINT data. Analysis is triggered manually by the user — never automatically. Only the specific search results or feed items you choose to analyze are sent to AI providers. All AI-generated outputs (threat scores, sentiment, entity tags) are clearly labeled as machine-generated. Our AI Governance Policy defines human review requirements, bias assessment procedures, and transparency standards.

How is team data isolated?

Confidion Sentry enforces strict team-level data isolation. Searches, entity profiles, data feeds, crawlers, and collector data are scoped to your team (account). Users on one team cannot see or access another team's data. Granular team permissions allow team owners to control what members can do, including content blocking policies. All cross-team boundaries are enforced at the database query level and verified by our Multi-Tenancy Security Policy.

Security Updates

Recent security improvements, compliance milestones, and advisories.

Infrastructure March 2026

Trust Centre Auto-Update System

Controls, subprocessors, and security updates on the Trust Centre page are now dynamically sourced from the database, ensuring the page stays current as the platform evolves.

Compliance March 2026

Trust Centre Launch

Launched our public Trust Centre, providing transparency into our security posture, compliance efforts, and data handling practices. This page is dynamically updated as we progress towards SOC 2 Type II certification.

Infrastructure March 2026

Trust Centre Auto-Update System

Controls, subprocessors, and security updates on the Trust Centre page are now dynamically sourced from the database, ensuring the page stays current as the platform evolves.

Compliance March 2026

Trust Centre Launch

Launched our public Trust Centre, providing transparency into our security posture, compliance efforts, and data handling practices. This page is dynamically updated as we progress towards SOC 2 Type II certification.

Infrastructure March 2026

Trust Centre Auto-Update System

Controls, subprocessors, and security updates on the Trust Centre page are now dynamically sourced from the database, ensuring the page stays current as the platform evolves.

Compliance March 2026

Trust Centre Launch

Launched our public Trust Centre, providing transparency into our security posture, compliance efforts, and data handling practices. This page is dynamically updated as we progress towards SOC 2 Type II certification.

Infrastructure March 2026

Trust Centre Auto-Update System

Controls, subprocessors, and security updates on the Trust Centre page are now dynamically sourced from the database, ensuring the page stays current as the platform evolves.

Compliance March 2026

Trust Centre Launch

Launched our public Trust Centre, providing transparency into our security posture, compliance efforts, and data handling practices. This page is dynamically updated as we progress towards SOC 2 Type II certification.

Security February 2026

PII Field Encryption Service

Implemented FieldEncryptionService providing application-level encryption for PII fields with searchable blind indexes (HMAC-SHA256), supporting SOC 2 CC6.7 and C1.2 criteria.

Security February 2026

Entity Profile Encryption

Extended application-level AES-256-GCM encryption to entity profile data, adding encrypted storage with automatic encrypt/decrypt on read and write operations.

Security February 2026

Comprehensive Security Assessment

Completed an internal security review identifying areas for improvement across authentication, authorization, data protection, and infrastructure. A prioritized remediation plan has been established and is actively being executed.

Infrastructure February 2026

Security Headers & Rate Limiting

Implemented comprehensive security headers (HSTS with preload, CSP, X-Frame-Options, Referrer-Policy), rate limiting across login, registration, and API endpoints, and IP blocklist with auto-expiration.

Security February 2026

MFA & Encryption Enhancements

Deployed TOTP-based Multi-Factor Authentication with backup codes, AES-256-GCM encryption for API keys and secrets, encrypted email storage with blind indexes, and enhanced session security with fingerprinting and idle timeouts.

Security February 2026

Zero Trust Security Architecture Plan

Published a comprehensive Zero Trust Security Plan covering identity hardening, per-request authorization, end-to-end encryption, continuous monitoring, and infrastructure hardening with a 12-week implementation roadmap.

Compliance February 2026

SOC 2 Policy Framework Established

Six comprehensive security policies documented covering Information Security, Incident Response, Data Classification & Retention, Change Management, Business Continuity & DR, and Vendor Risk Management — aligned with SOC 2 Trust Service Criteria.

Security February 2026

PII Field Encryption Service

Implemented FieldEncryptionService providing application-level encryption for PII fields with searchable blind indexes (HMAC-SHA256), supporting SOC 2 CC6.7 and C1.2 criteria.

Security February 2026

Entity Profile Encryption

Extended application-level AES-256-GCM encryption to entity profile data, adding encrypted storage with automatic encrypt/decrypt on read and write operations.

Security February 2026

Comprehensive Security Assessment

Completed an internal security review identifying areas for improvement across authentication, authorization, data protection, and infrastructure. A prioritized remediation plan has been established and is actively being executed.

Infrastructure February 2026

Security Headers & Rate Limiting

Implemented comprehensive security headers (HSTS with preload, CSP, X-Frame-Options, Referrer-Policy), rate limiting across login, registration, and API endpoints, and IP blocklist with auto-expiration.

Security February 2026

MFA & Encryption Enhancements

Deployed TOTP-based Multi-Factor Authentication with backup codes, AES-256-GCM encryption for API keys and secrets, encrypted email storage with blind indexes, and enhanced session security with fingerprinting and idle timeouts.

Security February 2026

Zero Trust Security Architecture Plan

Published a comprehensive Zero Trust Security Plan covering identity hardening, per-request authorization, end-to-end encryption, continuous monitoring, and infrastructure hardening with a 12-week implementation roadmap.

Compliance February 2026

SOC 2 Policy Framework Established

Six comprehensive security policies documented covering Information Security, Incident Response, Data Classification & Retention, Change Management, Business Continuity & DR, and Vendor Risk Management — aligned with SOC 2 Trust Service Criteria.

Security February 2026

PII Field Encryption Service

Implemented FieldEncryptionService providing application-level encryption for PII fields with searchable blind indexes (HMAC-SHA256), supporting SOC 2 CC6.7 and C1.2 criteria.

Security February 2026

Entity Profile Encryption

Extended application-level AES-256-GCM encryption to entity profile data, adding encrypted storage with automatic encrypt/decrypt on read and write operations.

Security February 2026

Comprehensive Security Assessment

Completed an internal security review identifying areas for improvement across authentication, authorization, data protection, and infrastructure. A prioritized remediation plan has been established and is actively being executed.

Infrastructure February 2026

Security Headers & Rate Limiting

Implemented comprehensive security headers (HSTS with preload, CSP, X-Frame-Options, Referrer-Policy), rate limiting across login, registration, and API endpoints, and IP blocklist with auto-expiration.

Security February 2026

MFA & Encryption Enhancements

Deployed TOTP-based Multi-Factor Authentication with backup codes, AES-256-GCM encryption for API keys and secrets, encrypted email storage with blind indexes, and enhanced session security with fingerprinting and idle timeouts.

Security February 2026

Zero Trust Security Architecture Plan

Published a comprehensive Zero Trust Security Plan covering identity hardening, per-request authorization, end-to-end encryption, continuous monitoring, and infrastructure hardening with a 12-week implementation roadmap.

Compliance February 2026

SOC 2 Policy Framework Established

Six comprehensive security policies documented covering Information Security, Incident Response, Data Classification & Retention, Change Management, Business Continuity & DR, and Vendor Risk Management — aligned with SOC 2 Trust Service Criteria.

Security February 2026

PII Field Encryption Service

Implemented FieldEncryptionService providing application-level encryption for PII fields with searchable blind indexes (HMAC-SHA256), supporting SOC 2 CC6.7 and C1.2 criteria.

Security February 2026

Entity Profile Encryption

Extended application-level AES-256-GCM encryption to entity profile data, adding encrypted storage with automatic encrypt/decrypt on read and write operations.

Security February 2026

Comprehensive Security Assessment

Completed an internal security review identifying areas for improvement across authentication, authorization, data protection, and infrastructure. A prioritized remediation plan has been established and is actively being executed.

Infrastructure February 2026

Security Headers & Rate Limiting

Implemented comprehensive security headers (HSTS with preload, CSP, X-Frame-Options, Referrer-Policy), rate limiting across login, registration, and API endpoints, and IP blocklist with auto-expiration.

Security February 2026

MFA & Encryption Enhancements

Deployed TOTP-based Multi-Factor Authentication with backup codes, AES-256-GCM encryption for API keys and secrets, encrypted email storage with blind indexes, and enhanced session security with fingerprinting and idle timeouts.

Security February 2026

Zero Trust Security Architecture Plan

Published a comprehensive Zero Trust Security Plan covering identity hardening, per-request authorization, end-to-end encryption, continuous monitoring, and infrastructure hardening with a 12-week implementation roadmap.

Compliance February 2026

SOC 2 Policy Framework Established

Six comprehensive security policies documented covering Information Security, Incident Response, Data Classification & Retention, Change Management, Business Continuity & DR, and Vendor Risk Management — aligned with SOC 2 Trust Service Criteria.