SPHIOR

Security & Trust

Your data security is our highest priority

SPHIOR is built with security-first architecture. We publish our security practices, compliance roadmap, and subprocessor list so you can evaluate our trust posture before onboarding.

SOC 2

Type I in progress

TLS 1.2+

All traffic encrypted

AES-256

Encryption at rest

GDPR

DPA available

Security Posture

How we protect your data

Transport Encryption

All traffic is encrypted with TLS 1.2+. HTTP is automatically redirected to HTTPS. HSTS headers are enforced.

Encryption at Rest

All data at rest is encrypted with AES-256. Database backups and object storage (R2) use provider-managed encryption keys.

Access Control (RLS)

Row-Level Security ensures tenant isolation at the database layer. Each customer can only access their own data. Admin endpoints are MFA-protected.

Credential Protection

Enterprise authenticated scanning uses AES-GCM 256-bit client-side encryption with HKDF-derived two-layer key architecture. Plaintext credentials exist only in memory during scan execution and are destroyed immediately after.

Isolated Scan Environment

Security scanners run in ephemeral containers (AWS Lambda + Fargate) that are destroyed after each scan. No persistent state between scans.

Continuous Monitoring

Infrastructure health, scan pipeline status, and error rates are monitored 24/7 with automated alerting for anomalies.

Self-Audit

We audit ourselves with SPHIOR — every month

SPHIOR runs the same automated security scans on its own production infrastructure that it runs for customers. Every month, our production domain (sphior.app) undergoes a full external vulnerability assessment and authenticated vulnerability assessment, and the results are compiled into the same structured report our customers receive.

This means SPHIOR is both the auditor and the subject — we eat our own dogfood. Critical findings are remediated within 30 days. This practice provides continuous assurance that our scanning engine produces accurate, actionable results.

Monthly scan targetsphior.app

Scan scopeExternal + Authenticated assessment

Critical SLA< 30 days

Report formatSame as customer reports

FrequencyMonthly (automated)

Compliance Roadmap

SOC 2 Type I in progress — Type II targeted Q4 2026

SPHIOR reports assist with SOC 2 Trust Services Criteria evidence collection for our customers. They are supplementary evidence — not an opinion letter. Below is the roadmap for SPHIOR's own SOC 2 certification.

Q1 2025Complete

Internal security controls established

Q2 2025Complete

Automated monthly self-audit with SPHIOR

Q3 2025In Progress

SOC 2 Type I audit — in progress

Q4 2025

SOC 2 Type I report published

Q4 2026

SOC 2 Type II certification target

Incident Response

Structured response within defined SLAs

Detection & Triage

Automated monitoring detects anomalies. On-call engineer triages severity.

SLA: < 1 hour

Containment

Isolate affected systems. Revoke compromised credentials. Preserve forensic evidence.

SLA: < 4 hours

Customer Notification

Affected customers are notified with impact scope and recommended actions.

SLA: < 72 hours

Remediation & Post-mortem

Root cause analysis, permanent fix deployed, and post-incident review published.

SLA: < 30 days

Data Retention & Deletion

Clear retention periods with right to deletion

Scan Results

13 months

Year-over-year comparison and trend analysis

PDF Reports

13 months

Audit evidence archive; encrypted in R2 (AES-256)

Database Backups

7 days PITR

Point-in-time recovery for disaster scenarios

Ephemeral Scan Payloads

0 — destroyed immediately

No persistence; container dies after execution

Account Data on Deletion

30 days

Grace period; then permanently purged from all systems

Audit Logs

12 months

Security investigation and compliance requirements

Subprocessors

Third-party providers that process data

We minimize the number of subprocessors and carefully evaluate each provider's security posture before integration. This list is updated whenever a subprocessor is added or removed.

Provider	Purpose	Data Processed	Location
Supabase	Database, authentication & Row-Level Security	Account data, scan metadata, RLS-protected rows	US (AWS us-east-1)
Cloudflare	CDN, edge compute, R2 object storage, DNS, DDoS protection	PDF reports (AES-256 encrypted), scan artifacts, edge cache	Global
Vercel	Frontend hosting, serverless API routes, ISR	No persistent customer data; ephemeral request processing	Global (Edge)
AWS (ap-northeast-1)	Security scanner execution in isolated containers (Lambda + Fargate)	Ephemeral scan payloads; destroyed after execution	Asia-Pacific (Tokyo)
Stripe	Payment processing, subscription billing, invoicing	Payment tokens only; SPHIOR never stores card numbers	US / EU
Anthropic (Claude)	AI report generation (text analysis only; no customer PII sent)	Anonymized scan findings → structured report text	US
Resend	Transactional email delivery (monthly reports, alerts)	Recipient email addresses, delivery metadata	US

Vulnerability Disclosure

Responsible disclosure policy

We welcome security researchers to report vulnerabilities in SPHIOR's services. We commit to acknowledging reports within 3 business days, providing an initial assessment within 10 business days, and resolving confirmed vulnerabilities within 90 days.

security@sphior.com

Scope

In scope

sphior.app, app.sphior.app, API endpoints

Response SLA

Acknowledgment < 3 days, Assessment < 10 days

Fix SLA

Critical < 30 days, High < 60 days, Others < 90 days

Safe harbor

Good-faith researchers will not face legal action

Data Processing Agreement

Generate your DPA automatically

Our system generates a legally compliant DPA covering GDPR, CCPA, and APPI. Fill in the form below and your signed PDF will be ready shortly.

Company name (legal entity)

Contact email

Authorized signatory

Title (optional)

Registered address

Applicable jurisdiction

Last updated: 2025-05-13

Questions about our security practices? Contact security@sphior.com