Security · updated Apr 2026 · v3.2

Customer data is
the whole product.

Security isn't a page we bolted on. It's how we build. Third-party audits, public subprocessor list, 24-hour breach notification, and a security team that returns emails.

Visit our Trust Center →
SOC
SOC 2 Type II
Certified

SOC 2 Type II attestation conducted by Prescient Assurance — a leading security and compliance attestation firm trusted by over 1,000 SaaS companies. Full attestation letter available under NDA — request via security@conduyt.app.

Download report →
ISO
ISO 27001
Certified

Information security management system certified for three years running.

View certificate →
GDPR
GDPR & UK-GDPR
Compliant

EU data residency, DPA, subject access requests. Named DPO on staff.

Request DPA →
HIPAA
HIPAA
Available

BAAs for Scale and Enterprise customers. Healthcare-safe configurations.

Request BAA →

Security by pillar.

We organize our security program around five observable pillars — each with a VP-level owner and a quarterly review cadence.

01 — Data

Encryption everywhere.

AES-256 at rest. TLS 1.3 in transit. Envelope encryption with per-tenant keys, rotated every 90 days.

  • Customer-managed keys (Scale+)
  • Field-level encryption for PII
  • No plaintext backups, ever
02 — Access

Least privilege, by default.

Zero-trust network. Just-in-time access for engineers. Every production action is logged, signed, and reviewed.

  • SSO + SCIM (SAML 2.0, OIDC)
  • MFA required for all staff
  • Customer-accessible audit log
03 — Infrastructure

Hardened, by design.

Multi-region AWS with Terraform-only changes. Immutable infra, peer-reviewed, CVE-scanned on every deploy.

  • Isolated customer VPCs (Enterprise)
  • DDoS protection via Cloudflare
  • Automated CIS benchmark compliance
04 — Application

Secure SDLC.

Every PR gets static analysis, SCA, and peer review. Penetration tests twice yearly by external firms.

  • Semgrep + Snyk on every commit
  • Public bug bounty via HackerOne
  • Dependency pinning + SBOM export
05 — People

The team above the tools.

Background-checked. Annual security training. Offboarding is same-day. Named, on-call security lead 24/7.

  • Mandatory phishing simulations
  • Hardware keys for all production access
  • Documented incident playbooks
06 — Resilience

Built to come back.

RPO 15 minutes, RTO 4 hours. Cross-region replication. Quarterly disaster recovery drills — not hypothetical.

  • Point-in-time restore to 35 days
  • Publicly tracked uptime (99.98%)
  • Tested failover runbooks

Data flow, in one picture.

From request to storage, here's every layer your data touches — and what guards it.

01 Client TLS 1.3 02 Edge WAF · DDoS 03 App Auth · RBAC 04 KMS Envelope keys 05 Store
In transit
TLS 1.3 + HSTS

Forward secrecy. TLS 1.2 deprecated. No cipher downgrades.

At the edge
Cloudflare WAF

OWASP Top 10 blocked. Rate limiting per IP, per token.

At rest
AES-256-GCM

Per-tenant DEK. Master key in HSM. Rotated every 90 days.

In use
Row-level isolation

Every query scoped to tenant_id at the ORM layer. Auto-tested.

Subprocessors, listed.

Public and updated whenever it changes. Customers are notified 30 days before any addition.

ProviderPurposeData typeLocation
Amazon Web ServicesPrimary infrastructure, storage, computeAll customer dataUS-East-1 · EU-Central-1 · AP-Southeast-2
CloudflareWAF, DDoS protection, DNS, edge cachingRequest metadataGlobal
PostmarkTransactional email deliveryEmail addresses, contentUS
StripeBilling & payment processingBilling info (no card numbers)US · EU
LinearInternal engineering ticketsSupport metadata (no PII)US
DatadogObservability, logs, metricsSystem logs (PII redacted)US · EU
AnthropicAI summarization & draftingOpt-in text content; not trained onUS
SegmentProduct analytics (internal)Aggregate usage eventsUS

If something goes wrong.

A real incident response playbook, not a marketing page. Every minute we commit to, we actually meet.

T+0 min
Detection

Automated monitoring fires. On-call security engineer paged via PagerDuty. Incident channel created.

T+15 min
Containment

Classify severity (SEV1–4). Isolate affected systems. Preserve evidence. Named incident commander assigned.

T+60 min
Internal all-hands

Engineering, security, leadership, and legal join the incident call. Status page updated. Customer communications drafted.

T+4 hr
Customer notification (SEV1)

Direct email to affected customers' security contacts. Public status page updated. Authorities notified if required by jurisdiction.

T+24 hr
GDPR notification window

If personal data was involved, supervisory authorities notified within 72 hours by law — we commit to 24.

T+10 days
Public post-mortem

Blameless RCA published on the status page. What happened, what we did, and what we're changing. No marketing copy.

Responsible disclosure

Found something? Tell us.

We run a public bug bounty through HackerOne and pay for valid findings within 10 business days of triage. No legal threats, no retaliation, ever. We thank researchers publicly (with permission) in our hall of fame.

security@conduyt.app · PGP key below
Bounty program
Critical$8,000
High$3,500
Medium$1,000
Low$250
View on HackerOne →

Documents, ready to send.

No forms, no "contact us" walls. Click and go — the procurement team loves us for it.

PDF
SOC 2 Type II report
Most recent · Mar 2026 · 52 pages
PDF
ISO 27001 certificate
Valid through Dec 2027
PDF
Data Processing Addendum
Standard GDPR DPA · countersigned
PDF
Penetration test report
NCC Group · Feb 2026 · summary
DOC
Security whitepaper
Architecture + controls · 24 pages
PGP
Security PGP public key
0x4F3E 8B2A · exp 2028

Questions procurement can't answer? We can.

Direct line to our Head of Security — no forms, no SDR gating. Most questions are resolved in one email.

Get started → Visit status page