Customers upload real operating evidence. Our brand promise is proof — so security and truthfulness are product requirements, not footnotes.
Current assurance status
Status as of July 2026. We publish exact state — not implied certifications.
| Control | Status (as of July 2026) |
| Encryption in transit (TLS) | In place via hosting (TLS for app traffic) |
| Encryption at rest | In place via managed hosting/provider defaults |
| Access control & audit logging | In place for customer workspaces (role-based access) |
| Penetration testing | In planning — not yet scheduled as a recurring independent programme |
| SOC 2 Type I / II | Not started as a completed audit; readiness work is planned. Report available under NDA when ready |
| DPA / subprocessors list | Available on request |
| Incident contact | [email protected] (subject: Security diligence) |
We do not claim completed SOC 2 or “regular penetration testing” unless dated evidence exists. Ask for the current package: [email protected].
Key controls
- Sensitive data encrypted in transit and at rest.
- Role-based access and audit logging for customer workspaces.
- Evidence handled in a secured evidence room for assessment work.
- Capture tools (where used) operate with user-controlled scope and minimal permissions.
- Security reviews are part of our release process; independent penetration tests are in planning (see status table).
Assessment data use
- Evidence you upload is used to perform your assessment and support human analyst review.
- How we handle access, retention, deletion, and subprocessors is described on this page. Contact [email protected] for a data-processing summary.
- Retention: retained for the engagement and as required by law / our Terms.
- Deletion: request deletion via [email protected]; we process reasonable requests after verifying the account and engagement.
- Subprocessors: list available on request.
- Backup & log retention: operational backups and system logs are kept on a rolling basis for reliability and security; contact us for current retention windows.
- Model & service improvement: how evidence may be used to improve our service is governed by your agreement and DPA (available on request). We do not publish a blanket “never used to train models” claim we cannot yet verify.
- You can start with safe materials: exports, screenshots, SOPs, walkthrough notes. System credentials are not required on day one.
What we will not claim
We will not publish synthetic public metrics, unqualified ROI, or integration status that has not passed production authentication and data-quality tests.
Contact
Security questionnaire, DPA, or current SOC 2 / pen-test package:
[email protected] (subject: Security diligence)