Security & vendor risk
Pre-answered, not pre-meeting.
Your security team shouldn’t need a sales call to read our posture. Every question on the standard vendor-risk questionnaires — SIG Lite, CAIQ, common procurement annexes — has a pre-filled answer. Download the pack, forward it, and come back if anything needs clarifying.
TLS 1.3 / AES-256
Data in transit & at rest
SSO via Okta / OIDC
Admin access
SOC 2 Type I
In progress · target Q4 2026
< 24 hrs
Critical-patch SLA on production
Trust center
Artefacts on tap.
Pre-answered questionnaires
SIG Lite, CAIQ v4.0.3, and a Vendor Risk pack with 147 pre-filled responses. Download after a short NDA-click — no sales gate.
Request the pack →Penetration test summaries
Annual external pen-test (current: Oct 2025, Bishop Fox). Executive summary + remediation log available under NDA.
Request summary →Subprocessor list
All sub-processors, their purpose, data scope, and location. Change log with 30-day notice on additions.
View subprocessors →DPA & SCCs
Signable DPA with EU SCCs and UK IDTA addenda. Available in click-through form for sub-$250k contracts.
Review DPA →Control families
Every control we operate, in plain English.
Access & identity
- SSO (SAML 2.0 / OIDC) enforced for all admin consoles
- MFA required; hardware key support for privileged roles
- Quarterly access reviews; SCIM auto-deprovision on HRIS exit
- Least-privilege RBAC with audited privilege escalation
Data protection
- AES-256 at rest (db, object storage, backups); TLS 1.3 in transit
- KMS-managed keys; annual rotation with audit trail
- Customer PII segmented by tenant; no cross-tenant joins in prod
- Backups encrypted, geographically redundant, tested quarterly
Endpoint & device
- Every refurbished drive sanitised to NIST 800-88 Purge before resale
- Per-drive Certificate of Sanitisation available on request
- Chain-of-custody logs from intake → QA → ship for HIPAA/public-sector
- Staff laptops: MDM-enforced, full-disk encryption, automatic patch
Application security
- SAST (Semgrep), SCA (Dependabot + Snyk) on every pull request
- Annual third-party penetration test; remediation SLA by severity
- CSP, HSTS, subresource integrity on public-facing apps
- Audit log: every admin action retained ≥ 13 months
Infra & network
- Hosted on Hetzner (EU) + AWS (US) with region pinning per tenant
- Private VPCs; public surface restricted to CDN + load-balancer
- WAF with rate-limit, bot-mitigation, and OWASP Top-10 rulesets
- Secrets in managed KMS; no credentials in code or CI logs
Incident response
- 24/7 on-call rotation with paging & documented runbook
- Customer notification ≤ 72 hrs for confirmed data incidents
- Post-incident review (blameless) published to affected accounts
- Annual tabletop exercise; lessons-learned fed back into controls
Plain-English answers
The five questions every procurement lead asks.
Do you handle our PII?
Only what you give us in quotes, orders, and fleet tracking: ship-to contact details and IT admin emails. We don’t collect end-user device telemetry.
Where is customer data stored?
Primary: EU (Hetzner Falkenstein). US tenants: pinned to AWS us-east-1 on request. No data leaves the pinned region except for billing events routed through Stripe.
Can we audit you?
Yes. Enterprise customers (250+ units/yr or equivalent GMV) get one remote audit window per year. Larger contracts include an on-site option.
Do you resell or profile our data?
No. We don’t sell, rent, or enrich customer data with third-party sources. Aggregate inventory signals are used only to improve sourcing forecasts, never resold.
What happens to drives we trade in?
Sanitised on intake before anything else. If a drive fails sanitisation, it is physically shredded through an R2v3-certified partner. Certificates of Sanitisation or Destruction issued per serial on request.
Need the full pack?
SIG Lite + CAIQ + pen-test summary + DPA + subprocessor list, delivered as a single zip after a click-through NDA. Median response: under 1 business hour.