Trust Center

One URL for your InfoSec, legal & procurement teams

SOC 2 Type II, ISO 27001, HIPAA, GDPR, sub-processors, pen-test summary, MSA / DPA / BAA — every document your security and legal teams will ask for, in one place. Forward this URL to them.

Request the trust packReport a vulnerability
All systems operational
Trust pack v2026.1
Last SOC 2 audit2025 Q4
Last penetration test2026 Q1
Active sub-processors12 (named)
Avg. CVE patch time< 2 hours
Avg. legal review3–5 days
P1 incident SLA< 15 min
Uptime (rolling 12 mo.)99.97%
Last reviewedQuarterly
Certifications & Standards

Audited, certified, and continuously assessed

Audited

SOC 2 Type II

Annual independent audit covering Security, Availability, Confidentiality.

Aligned

ISO 27001

Information Security Management System (ISMS) aligned to ISO/IEC 27001:2022.

BAA on request

HIPAA

Business Associate Agreement available for healthcare workloads.

Compliant

GDPR

EU DPA, Standard Contractual Clauses (SCCs), and named sub-processors list.

Compliant

CCPA / CPRA

California consumer privacy rights honoured for in-scope engagements.

Advanced Tier

AWS Partner

Advanced Tier Services Partner — well-architected, security competency.

How we operate

Seven controls that turn compliance into operational reality

Security operations

Defence-in-depth architecture and 24/7 monitoring on every enterprise environment.

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Centralised key management with hardware-backed roots
  • 24/7 SOC monitoring + SIEM with audit-log streaming to your stack
  • Quarterly third-party penetration tests; executive summary on request

Privacy & data protection

Data residency and sub-processor transparency before a single record moves.

  • Data residency options: EU, US, and India regions
  • Named sub-processors list maintained and version-controlled
  • GDPR Art. 28 DPA; EU SCCs included; right-to-be-forgotten workflows
  • Customer data segregation and tenant isolation controls

Identity & access

We meet your identity stack — not the other way around.

  • SAML 2.0 and OIDC SSO with your IdP (Okta, Entra ID, Ping)
  • SCIM 2.0 user provisioning + de-provisioning
  • Role-based access control with quarterly access reviews
  • IP allow-listing and MFA enforcement on every environment

Incident response

Documented runbooks and contractual SLAs you can hold us to.

  • 24/7/365 P1 acknowledgement under 15 minutes
  • Customer notification within 72 hours of confirmed breach
  • Post-incident review with root-cause analysis and remediation plan
  • Tabletop exercises and runbook drills run quarterly

Business continuity

Survivable architecture with tested disaster recovery.

  • 99.95% uptime SLA on enterprise programs (contractual remedies)
  • Multi-AZ active-active by default; multi-region on request
  • Backups: encrypted, 30-day retention, restore tests every quarter
  • RTO ≤ 4h, RPO ≤ 15min on tier-1 workloads

Vendor & supply-chain risk

We treat our vendors the way we expect to be treated.

  • Sub-processor due diligence: SOC 2 / ISO 27001 evidence collected
  • Sub-processor change notifications with 30-day right-to-object window
  • Software supply-chain: SBOMs, dependency scanning, signed artifacts
  • Open-source license compliance review on every release

AI-era security

LLM features bring new attack surfaces. We treat them as production systems with real guardrails.

  • Prompt-injection defenses on every LLM-powered endpoint (input filtering + output validation)
  • Secrets and PII isolated from agent context — models never see what they do not need
  • MCP servers authenticated at boundary; per-tool scoped permissions with audit logs
  • Human-in-the-loop approval gates on high-risk agent actions (refunds, deletions, external comms)
Defense in depth, in practice

The operational machinery behind the compliance checkboxes

Compliance frameworks describe what should be true. These are the systems we actually run to make them true on every production environment we maintain — visible, measurable, and reviewed every quarter.

Continuous threat monitoring

Every 10 minutes, on every production box.

A custom server-guard daemon runs across our production fleet checking for new SSH keys, unexpected listening ports, executables in temp directories, password-based logins, and unexplained crontab changes. Anomalies route to a dedicated incident Slack channel in real time. No analyst dashboard to forget to check — alerts come to where the on-call engineer already is.

  • Six independent signal checks running every 10 minutes per host
  • Slack + email alerts on any anomaly, with the host and finding inline
  • Quarterly tabletop exercises validate the alert routing and response runbook

Measured CVE response

90 minutes — full patch deployment across 8 Next.js apps for GHSA-26hh-7cqf-hhc6, May 2026.

We track every CVE response we run end-to-end: disclosure time, patch availability, internal inventory check, code change, build, deploy, verification. The numbers are not aspirational — they are reviewed in a quarterly engineering retrospective. When we say "P1 in under 15 minutes" we have receipts.

  • Per-app dependency inventory updated nightly — answers "are we affected" in seconds
  • Patch ships from main, never directly on production — preserves audit trail and rollback path
  • Post-incident retro within 5 business days; runbook updates fed back into the next response

Supply-chain hygiene

Zero plaintext credentials in any production system configuration.

Every production server pulls from GitHub using scoped per-repo SSH deploy keys. No personal access tokens stored in git remotes, environment files, or shell history. Secrets are managed through a hardened vault and injected at process start. The cost of doing this right pays itself back the first time you discover a stale token in a config file from a forgotten contractor.

  • Per-repo SSH deploy keys instead of organization-wide personal access tokens
  • Pre-commit secret scanning blocks credentials from entering the repo in the first place
  • Quarterly credential rotation with documented break-glass procedures for emergencies
  • SBOM generated on every release; dependency CVEs polled every 6 hours against installed manifest
Latest CVE response
Next.js GHSA-26hh-7cqf-hhc6 — middleware bypass via segment-prefetch routes, May 2026
Patched across 8 production Next.js deployments in 90 minutes from advisory disclosure.
Read the response playbook
Document library

The forms, reports, and contracts your team will ask for

Most documents are available the same day on a signed mutual NDA. Standard templates are public; signed reports require an NDA on file before distribution.

Request the trust pack
SOC 2 Type II report
Latest Type II report covering Security, Availability, Confidentiality.
Available on signed mutual NDA
ISO 27001 certificate
Current certificate of registration with scope statement.
Public — request copy
CAIQ + SIG-Lite
Pre-completed Cloud Security Alliance and Shared Assessments questionnaires.
Available on signed mutual NDA
Penetration test summary
Executive summary of latest external pen-test; full report under NDA.
Summary on request; full under NDA
Master Service Agreement (MSA)
Standard template — your redlines welcome on routine clauses.
Available on request
Data Processing Agreement (DPA)
GDPR Art. 28 compliant; EU Standard Contractual Clauses included.
Available on request
Business Associate Agreement (BAA)
For HIPAA-regulated workloads.
Available on request
Sub-processors list
Named third-party services we use, their function, and country of processing.
Public — view current list

Sub-processors

Named list of every third party that processes customer data on our behalf — function, scope, and country of processing. Updated whenever the list changes; 30-day notice on additions.

View list

Data residency

Choose where your data lives: EU (Frankfurt / Dublin), US (Virginia / Oregon), or India (Mumbai). Cross-region replication only with explicit consent.

Discuss residency

Responsible disclosure

Found a vulnerability? Email us with reproduction steps — we acknowledge within 24 hours, triage within 72, and recognise your contribution publicly when remediated.

Email security

Need something not listed here?

Most enterprise security teams complete review using the package above. If your team has a specific framework (FedRAMP, PCI-DSS, NIST CSF, FFIEC, MAS-TRM), reach out — we'll meet you where you are.

Talk to our security teaminfo@sensussoft.com