Your data security is our highest priority
SPHIOR is built with security-first architecture. We publish our security practices, compliance roadmap, and subprocessor list so you can evaluate our trust posture before onboarding.
SOC 2
Type I in progress
TLS 1.2+
All traffic encrypted
AES-256
Encryption at rest
GDPR
DPA available
How we protect your data
Transport Encryption
All traffic is encrypted with TLS 1.2+. HTTP is automatically redirected to HTTPS. HSTS headers are enforced.
Encryption at Rest
All data at rest is encrypted with AES-256. Database backups and object storage (R2) use provider-managed encryption keys.
Access Control (RLS)
Row-Level Security ensures tenant isolation at the database layer. Each customer can only access their own data. Admin endpoints are MFA-protected.
Credential Protection
Enterprise authenticated scanning uses AES-GCM 256-bit client-side encryption with HKDF-derived two-layer key architecture. Plaintext credentials exist only in memory during scan execution and are destroyed immediately after.
Isolated Scan Environment
Security scanners run in ephemeral containers (AWS Lambda + Fargate) that are destroyed after each scan. No persistent state between scans.
Continuous Monitoring
Infrastructure health, scan pipeline status, and error rates are monitored 24/7 with automated alerting for anomalies.
We audit ourselves with SPHIOR — every month
SPHIOR runs the same automated security scans on its own production infrastructure that it runs for customers. Every month, our production domain (sphior.app) undergoes a full external vulnerability assessment and authenticated vulnerability assessment, and the results are compiled into the same structured report our customers receive.
This means SPHIOR is both the auditor and the subject — we eat our own dogfood. Critical findings are remediated within 30 days. This practice provides continuous assurance that our scanning engine produces accurate, actionable results.
Structured response within defined SLAs
Detection & Triage
Automated monitoring detects anomalies. On-call engineer triages severity.
Containment
Isolate affected systems. Revoke compromised credentials. Preserve forensic evidence.
Customer Notification
Affected customers are notified with impact scope and recommended actions.
Remediation & Post-mortem
Root cause analysis, permanent fix deployed, and post-incident review published.
Clear retention periods with right to deletion
| Data Type | Retention | Purpose |
|---|---|---|
| Scan Results | 13 months | Year-over-year comparison and trend analysis |
| PDF Reports | 13 months | Audit evidence archive; AES-256 encrypted |
| Database Backups | 7 days PITR | Point-in-time recovery for disaster scenarios |
| Ephemeral Scan Payloads | 0 — immediate | No persistence; destroyed after execution |
| Account Data on Deletion | 30 days | Grace period; then permanently purged |
| Audit Logs | 12 months | Security investigation and compliance |
Third-party providers that process data
We minimize the number of subprocessors and carefully evaluate each provider's security posture before integration. This list is updated whenever a subprocessor is added or removed.
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Database Provider | Data storage, authentication & access control | Account data, scan metadata, access-controlled records | US |
| CDN & Edge Provider | Content delivery, edge compute, encrypted object storage, DDoS protection | PDF reports (AES-256 encrypted), scan artifacts | Global |
| Application Host | Application hosting and request processing | No persistent customer data; ephemeral request processing | Global (Edge) |
| Cloud Infrastructure | Security scanner execution in isolated, ephemeral containers | Ephemeral scan payloads; destroyed after execution | Asia-Pacific (Tokyo) |
| Payment Processor | Payment processing, subscription billing, invoicing | Payment tokens only; SPHIOR never stores card numbers | US / EU |
| AI Provider | AI-powered report generation (text analysis only; no customer PII sent) | Anonymized scan findings → structured report text | US |
| Email Delivery | Transactional email delivery (monthly reports, alerts) | Recipient email addresses, delivery metadata | US |
Responsible disclosure policy
We welcome security researchers to report vulnerabilities in SPHIOR's services. We commit to acknowledging reports within 3 business days, providing an initial assessment within 10 business days, and resolving confirmed vulnerabilities within 90 days.
Scope
In scope
sphior.app, app.sphior.app, API endpoints
Response SLA
Acknowledgment < 3 days, Assessment < 10 days
Fix SLA
Critical < 30 days, High < 60 days, Others < 90 days
Safe harbor
Good-faith researchers will not face legal action
Generate your DPA automatically
Our system generates a legally compliant DPA covering GDPR, CCPA, and APPI. Fill in the form below and your signed PDF will be ready shortly.
Last updated: 2025-05-13
Questions about our security practices? Contact security@sphior.com