Security & Compliance

Enterprise-grade security and compliance built for financial institutions and regulated industries

Compliance & Certifications

Meeting the highest standards for data security and privacy

SOC 2 Type II

Security, availability, and confidentiality

Certification Status:

In Progress: Audit scheduled for Q2 2025. Report available to Enterprise customers upon completion.

Our SOC 2 audit covers:

Security controls and monitoring
System availability and uptime
Data confidentiality measures

GDPR Compliant

EU data protection regulation

Full GDPR Compliance:

Right to access and data portability
Right to erasure ("right to be forgotten")
Data processing agreements (DPA)
Breach notification within 72 hours
Data stored in EU or Privacy Shield regions

CCPA Compliant

California Consumer Privacy Act

California Privacy Rights:

Disclosure of data collection practices
Right to opt-out of data sales
Right to deletion
No discrimination for exercising rights

Data Security Measures

Multiple layers of protection for your sensitive data

Encryption

Data in Transit:

• TLS 1.3 encryption for all communications
• HTTPS enforced across all endpoints
• Perfect Forward Secrecy (PFS) enabled
• Certificate pinning for mobile apps

Data at Rest:

• AES-256 encryption for all stored data
• Encrypted database backups
• Encrypted file storage (S3 with KMS)
• Regular key rotation

Infrastructure Security

Cloud Infrastructure:

• Hosted on AWS (SOC 2, ISO 27001 certified)
• Multi-region redundancy
• DDoS protection via CloudFlare
• Web Application Firewall (WAF)

Network Security:

• Private VPC with isolated subnets
• Intrusion detection/prevention (IDS/IPS)
• Regular penetration testing
• 24/7 security monitoring

Access Controls

Authentication:

• Multi-factor authentication (MFA) required
• SSO support (SAML, OAuth 2.0)
• Password complexity requirements
• Session timeout after inactivity

Authorization:

• Role-based access control (RBAC)
• Principle of least privilege
• Granular permission management
• Audit logs for all access events

Data Handling

Data Minimization:

• Only collect necessary information
• No credit card data stored (Stripe handles)
• Automatic data retention policies
• Secure data disposal procedures

Data Isolation:

• Customer data logically segregated
• No cross-tenant data access
• Dedicated databases for Enterprise (optional)
• Regular data integrity audits

Privacy Practices

How we handle and protect your sensitive information

What We Collect:

Account Information: Name, email, company
Usage Data: Feature usage, calculations created
Project Data: ROI calculations, framework results (encrypted)

What We DON'T Collect:

No PII in calculations: Your financial data stays anonymous
No credit card storage: All payments via Stripe
No data selling: We never sell your data to third parties
No AI training: Your data is never used to train AI models

Financial Institution Guarantee: We understand that financial institutions have heightened data sensitivity requirements. All calculation data is encrypted at rest and in transit, with optional on-premise deployment for Enterprise customers requiring air-gapped environments.

Incident Response & Business Continuity

Security Incident Response

Our incident response protocol:

Detection: 24/7 automated monitoring and alerting
Containment: Immediate isolation of affected systems
Investigation: Forensic analysis within 2 hours
Notification: Customer notification within 4 hours
Remediation: Patch deployment and system hardening
Post-Mortem: Detailed incident report to customers

Business Continuity

Ensuring 99.9% uptime:

Redundancy: Multi-region failover architecture
Backups: Hourly automated backups, 30-day retention
Disaster Recovery: RTO < 4 hours, RPO < 1 hour
Testing: Quarterly DR drills and tabletop exercises
SLA: 99.9% uptime guarantee for Enterprise
Status Page: Real-time system status at status.sengol.ai

Third-Party Vendor Security

We carefully vet all third-party services

AWS

Cloud Infrastructure

SOC 2ISO 27001PCI DSS

Stripe

Payment Processing

PCI Level 1SOC 2

Vercel

Hosting & CDN

SOC 2GDPR

Security Documentation & Contact

Available Documentation

For Enterprise customers:

• Data Processing Agreement (DPA)
• Business Associate Agreement (BAA)
• Security whitepaper
• Penetration test reports (annual)
• SOC 2 report (upon completion)

Security Team Contact

Report a Security Issue:

security@sengol.ai

Request Security Documentation:

comply@sengol.ai

Bug Bounty: We welcome responsible disclosure and offer rewards for valid security findings.

Questions About Security?

Our security team is available to answer your questions and provide additional documentation

Contact Security Team View Privacy Policy