Yes. We maintain a comprehensive information security program that is documented, approved and reviewed annually. Our program is aligned with industry-standard frameworks and addresses key security domains including access control, data protection, incident response, business continuity, and third-party risk management. The program is overseen by our VP of Technology, who reports directly to executive leadership.

We maintain SOC 2 Type I certification, which is independently audited annually by a qualified third-party firm. Our SOC 2 report covers the Trust Services Criteria for Security, Availability, and Confidentiality. Current and prospective customers may request a copy of our SOC 2 report under NDA by contacting our security team.

Our SOC 2 Type I audit is conducted annually and covers a 12-month observation period. The audit examines the design and operating effectiveness of our security controls. In addition to external audits, we conduct internal security assessments, vulnerability scans, and penetration tests on a regular basis to continuously validate our security posture.

Yes. We have a dedicated security team led by our VP of Technology. The security team is responsible for maintaining our information security program, conducting risk assessments, managing security incidents, overseeing third-party security, and ensuring compliance with applicable security requirements. All employees receive security awareness training upon hire and annually thereafter.

Customer data is stored in secure, SOC 2-certified data centers located in the United States. Our infrastructure providers maintain robust physical security controls, redundant systems, and environmental protections.

No. We only access and process customer data as necessary to provide the contracted services and as directed by our customers. We do not use customer data for marketing, advertising, or any other purposes beyond service delivery. Access to customer data is limited to authorized personnel who require it to perform their duties, and all access is logged and monitored.

We implement role-based access control (RBAC) across all systems, ensuring users only have access to the data and functions necessary for their job responsibilities. Access is provisioned based on the principle of least privilege and is reviewed quarterly for privileged accounts and annually for standard accounts. Access is promptly revoked upon role change or termination.

Yes. Multi-factor authentication is mandatory for all employees accessing corporate systems and production environments. MFA is also required for remote access and privileged operations. For our customers, we support and strongly encourage MFA and offer SSO integration with major identity providers.

We maintain continuous security monitoring across our infrastructure and applications. This includes centralized log aggregation and analysis, intrusion detection systems, endpoint detection and response (EDR) tools, and real-time alerting for suspicious activity. Our security team reviews alerts and investigates potential security events around the clock.

Yes. We engage qualified third-party security firms to conduct penetration testing of our external and internal environments at least annually. Testing includes network, application, and social engineering assessments. Identified vulnerabilities are prioritized based on risk and remediated according to defined timelines. Penetration test certification letters are available to customers under NDA.