Trust & Security

Threatstealth Trust & Security

Security-first architecture: AES-256-GCM encryption at rest, TLS 1.3 in transit, mandatory MFA, immutable audit logs, and annual third-party penetration tests.

• SOC 2 Type II — all five Trust Services Criteria monitored with automated evidence collection
• ISO 27001:2022 — full ISMS with 93 Annex A controls evidenced
• PCI DSS v4.0 — 300+ sub-requirements continuously validated
• Row-level tenant isolation enforced at the database layer — zero cross-customer data access
• Responsible disclosure programme — 72h acknowledgement, 90-day coordinated disclosure

Encryption Architecture: Data Protection At Rest and In Transit

All Threatstealth customer data is encrypted at rest using AES-256-GCM, the authenticated encryption standard used by the US government for classified data storage. Database encryption is applied at the storage layer and at the application layer for particularly sensitive fields (security credentials, API keys, personal data). All data in transit between Threatstealth services and between customer browsers and the platform uses TLS 1.3 — the current version of the Transport Layer Security protocol that eliminates all known cryptographic weaknesses present in TLS 1.0 and 1.1. TLS 1.0 and 1.1 are explicitly disabled. Certificate management is automated through a trusted certificate authority with rotation before expiry.

• AES-256-GCM at rest — authenticated encryption for all stored customer data at storage and application layers
• TLS 1.3 in transit — minimum TLS version enforced with TLS 1.0 and 1.1 explicitly disabled platform-wide
• Sensitive field encryption — security credentials and personal data encrypted at the application layer in addition to storage
• Automated certificate management — TLS certificates rotated automatically before expiry with no manual intervention
• Key management — cryptographic keys managed in a dedicated key management service with access controls and audit logging

Penetration Testing, Vulnerability Management, and Security Assessments

Threatstealth undergoes an annual third-party penetration test conducted by an accredited external security firm against all production systems, APIs, and web applications. Penetration test scope includes external network perimeter assessment, web application testing (OWASP Top 10 methodology), API security testing, multi-tenant isolation testing (attempting to access data across tenant boundaries), and authentication security testing. Critical and high findings are remediated within 30 days of the penetration test report delivery, with re-testing performed to verify remediation. Penetration test executive summaries are available to enterprise customers and prospects under NDA on request.

• Annual third-party penetration test — accredited external security firm testing all production systems annually
• Multi-tenant isolation testing — explicit penetration test scope item verifying cross-tenant data access cannot occur
• 30-day critical finding remediation — contractual commitment to remediate critical penetration test findings within 30 days
• Re-test verification — findings verified as remediated by the penetration testing firm before closure
• Executive summary availability — penetration test executive summary available to enterprise customers under NDA

Access Control, Authentication, and Privileged Access Management

Internal Threatstealth engineering and operations team access to production systems follows a zero-trust access model — no persistent privileged access, just-in-time access grants for production operations with mandatory peer approval and complete session logging. All internal accounts require hardware security key (FIDO2) multi-factor authentication — time-based one-time passwords are not accepted for production system access. Production database access requires a separate approval workflow with business justification, creates a complete audit record of all queries executed, and automatically expires after the approved time window. Background checks are performed on all employees with access to production systems or customer data.

• Zero persistent privileged access — just-in-time access grants for all production system operations
• FIDO2 hardware key requirement — hardware security key mandatory for all internal production access
• Peer approval workflow — production access requires manager or security team approval before grant
• Database query audit logging — all production database queries logged with user identity and timestamp
• Background checks — employment background verification for all staff with production or customer data access

Data Residency, Retention, and Customer Data Rights

Threatstealth stores customer data in data centres located in the European Union by default, with US and APAC data residency options available for enterprise customers with specific regulatory requirements. Data is not transferred outside the selected region except for platform operations that explicitly require it, such as CDN edge caching of static assets. Customer data retention follows the retention policy configured by the organisation administrator — security event logs are retained for the configured period (default 13 months for SOC 2 audit period alignment), after which data is permanently deleted. Customers can request a complete export of their organisation's data at any time, and can request deletion of their data upon contract termination.

• EU data residency default — all customer data stored in EU data centres unless otherwise contractually agreed
• US and APAC residency options — alternative data residency regions available for enterprise customers on request
• Configurable retention periods — organisation administrators configure data retention within regulatory bounds
• Data export on request — complete organisation data export available to administrators at any time
• Data deletion on termination — contractual commitment to delete customer data within 30 days of contract end