Security

A security product has to hold itself to a higher bar.

We're building Secriiti to be worthy of the access it's given. This page describes how we protect customer data and the practices we follow. As an early-stage company, some items below are roadmap commitments — we mark them honestly.

Encryption everywhere

Data is encrypted in transit (TLS) and at rest using strong, industry-standard algorithms managed by our cloud provider.

Least-privilege access

Internal access to customer data is scoped, logged, and granted on a need-to-know basis. Connectors to your systems are read-only.

Tenant isolation

Customer data is logically segregated per tenant, so one organization's metadata is never commingled with another's.

Cloud infrastructure

Secriiti runs on Amazon Web Services, leveraging managed, access-controlled services and regional data handling.

Secure development

Code review, dependency scanning, and least-privilege CI/CD are part of how we ship — security shifts left, not after.

Monitoring & logging

We instrument our own systems with audit logging and anomaly monitoring — we use the discipline we sell.

Compliance roadmap

Where we are, stated plainly.

We believe early-stage companies should be honest about their compliance status rather than imply more than is true. Here is ours:

  • Data protection by design — implemented today as a core product principle.
  • SOC 2 Type II — planned. We are building controls to support an audit as we scale; we will publish status here and never claim a certification we don't hold.
  • GDPR / data subject principles — our metadata-minimization and transparency design aligns with these principles; formal tooling is on the roadmap.
  • Data residency — regional handling and configurable residency are planned for Enterprise.
No security theater

If a control isn't in place yet, we won't pretend it is. As certifications and reports become available, they'll be listed on this page with dates.

Responsible disclosure

Found a vulnerability? We want to hear it.

We welcome reports from security researchers acting in good faith. If you believe you've found a vulnerability in Secriiti:

  • Give us reasonable time to investigate and remediate before any public disclosure.
  • Avoid privacy violations, data destruction, or service degradation while testing.
  • Only interact with accounts you own or have explicit permission to test.

In return, we commit to acknowledging valid reports, keeping you updated on remediation, and not pursuing legal action against good-faith research conducted under this policy (safe harbor).

⚠ Before launch: publish your security contact

Add a monitored intake channel here (for example, a dedicated security inbox or a disclosure form) before going live. We've intentionally left it blank rather than publish an address that isn't yet monitored.