Pre-filled procurement security responses

What's audited и retained?

All admin actions (login, role change, data export, configuration change) audit-logged с timestamp, actor, action, target. Logs retained 13 months. Per-tenant audit log exportable on Enterprise tier.

→ Evidence: /en/security/

What authentication mechanisms are supported?

Argon2id password hashing с per-tenant password policy. SAML SSO ships в the Enterprise tier (Okta, OneLogin, Azure AD, Google Workspace). SCIM provisioning roadmapped Q1 2027. 2FA / TOTP supported across all tiers.

→ Evidence: /en/security/

Describe access controls.

Role-based access control (RBAC) per tenant. Repository pattern enforces ClientId partition key at compile time via static analyzer rule (SLATECH001). Cross-tenant data access is а structural impossibility, not а runtime check.

→ Evidence: /en/architecture/#multi-tenant-data-isolation

What are backup и DR capabilities?

Azure SQL daily backups с 35-day retention. Point-in-time recovery within last 24 hours. Qdrant snapshot к Azure Storage nightly. Multi-region failover within EU (West Europe ↔ North Europe). RTO 4 hours, RPO 1 hour. DR runbook tested quarterly с simulated region failure.

→ Evidence: /en/architecture/#disaster-recovery-posture

Which compliance frameworks does SLAtech meet?

GDPR-compliant by default. HIPAA BAA-eligible on Enterprise tier (single-tenant). SOC 2 Type I report Q3 2026 target; Type II Q2 2027. ISO 27001 certification Q4 2026 target. PCI-DSS — SAQ-A applies (no cardholder data stored).

→ Evidence: /en/compliance/

Which contract artefacts are available?

DPA, BAA, sub-processor list, SCC 2021/914 transfer-impact assessment, SoA gap-analysis mapping, vendor questionnaire (pre-filled). All available на request to [email protected]. Enterprise tier MSA customisable.

→ Evidence: /en/rfp-template/

Can data residency be pinned к specific region?

Multi-tenant tiers (Starter / Pro / Scale): EU-only by default; auto-failover within EU. Enterprise tier: pin к а specific Azure region (West Europe или North Europe). No data leaves the chosen region without explicit customer consent.

→ Evidence: /en/architecture/

How are GDPR Articles 15-22 (DSR) honoured?

DSR portal in admin platform. Right of access (Article 15) — full data export в Markdown / JSON / PDF. Right к rectification (Article 16). Right к erasure (Article 17) — permanent deletion within 30 days. Right к portability (Article 20) — exports в machine-readable format. Right к object (Article 21) — opt-out controls per data category.

→ Evidence: /en/compliance/

How is data-at-rest encrypted?

AES-256-GCM at rest на all storage layers (SQL Server tables, Qdrant collections, Azure Blob document storage). Encryption keys managed by Azure Key Vault с annual rotation + rotation on personnel changes.

→ Evidence: /en/security/

How is data-in-transit encrypted?

TLS 1.2+ enforced on every endpoint; HSTS preload set. SSL Labs A+ rating. Internal service-to-service communication also TLS-encrypted.

→ Evidence: /en/security/

Where is customer data hosted?

Microsoft Azure West Europe (primary) и North Europe (failover). EU-only by default; no negotiation required at signup. Enterprise tier offers single-tenant deployment pinned к а chosen Azure region.

→ Evidence: /en/architecture/#deployment-topology

What's the incident response procedure?

6-step procedure: detection (Sentry / synthetic) → triage (status page within 10 min) → mitigation (runbook applied) → resolution → public post-mortem within 5 business days → customer follow-up с service credit. 24-hour customer notification SLA для significant incidents (NIS2 alignment).

→ Evidence: /en/uptime/

Is customer data used к train AI models?

No. Customer data is excluded from the model-training pipeline by contract и by technical isolation. Sub-processor agreements (OpenAI, Cohere) explicitly exclude customer data from their training data.

→ Evidence: /en/ethics/

How is sensitive personal data handled?

SLAtech Medical и Legal ship an ingest-time redactor that masks Israeli national IDs, EU phone formats, medical record numbers и similar tokens before any LLM call. Redactor runs в EU infrastructure; sub-processors (OpenAI, Cohere) never see raw PHI / PII.

→ Evidence: /en/compliance/#phi-protected-health-information

Which sub-processors process customer data?

OpenAI (US, LLM inference), Cohere (Canada, optional re-ranking), Sentry (US, errors), Cloudflare (global edge, WAF / CDN), SendGrid (US, email). All transfers governed by SCC 2021/914. Full list kept current within 14 days of change.

→ Evidence: /en/sub-processors/

What happens to customer data on contract termination?

30-day notice for termination of convenience. On termination, customer data exportable for 90 days (Markdown / JSON knowledge content + JSONL conversation history). After 90 days, all customer data is permanently deleted from production и backups within 35 additional days.

→ Evidence: /en/rfp-template/

Can customers veto sub-processor changes?

Customers receive 30-day notice before adding а new sub-processor. Enterprise tier customers can veto а sub-processor (с migration к а non-veto path или contract exit). Multi-tenant tiers (Starter / Pro / Scale): notice but no veto.

→ Evidence: /en/sub-processors/

Describe the vulnerability management program.

Dependabot automated dependency updates on production branch. GitHub CodeQL static analysis on every PR. Annual external penetration test (next Q4 2026). Coordinated vulnerability disclosure policy.

→ Evidence: /en/security/