This page covers our compliance posture, data handling, encryption model, subprocessors, and responsible disclosure — written for procurement teams, security reviewers, and InfoSec leads doing real due diligence.
Mutual TLS (mTLS) on all connector traffic. Certificate pinning available for regulated deployments.
Evidence packs signed with ECDSA P-256, hash-chained with SHA-256. S3 Object Lock in Compliance Mode.
BYO-KMS: you supply and rotate your own KMS key. SidentiQ cannot read evidence without your key access.
| Framework | Status | Notes |
|---|---|---|
| SOC 2 Type II | In preparation | Controls designed to SOC 2 Trust Service Criteria. Formal audit engagement planned Q3 2026. |
| FedRAMP | Not authorized | Architecture informed by FedRAMP controls. Not authorized and does not claim authorization. Do not use for FedRAMP-in-scope workloads without independent review. |
| NIST 800-53 Rev.5 | Designed-to | AC, AU, IA, and SI control families inform product design. Formal control mapping in progress; not independently assessed. |
| HIPAA | Aligned | Deployment patterns support HIPAA-aligned environments. BAA terms available for qualified deployments under signed agreement. |
| OWASP ASI | Aligned | AI-agent governance controls aligned to the OWASP Agentic Security Initiative guidelines. |
| Processor | Purpose | Data involved |
|---|---|---|
| Amazon Web Services | Control-plane hosting, evidence storage | Customer-defined; evidence packs in customer-owned S3 |
| Cloudflare | CDN and DDoS protection for public site | Public web traffic only — no identity data |
If you discover a security issue, email [email protected] with a description, reproduction steps, and your contact details. We acknowledge within 2 business days and respond substantively within 10. Please allow reasonable time to investigate before public disclosure.
We're happy to walk your team through the architecture, share control documentation, and discuss NDA evaluation terms.