Security posture
30 controls, по domain
Single-source-of-truth для procurement, legal, и infosec stakeholders evaluating SLAtech. Each control is marked Implemented (live now), Enterprise tier (live for the Enterprise contract shape), or Target quarter (scheduled, transparent date). Report vulnerabilities к [email protected].
Compliance
5 controls
| Control | Status |
|---|---|
| GDPR — DSR portal, DPA on request, SCC 2021/914 for sub-processor transfers | Implemented |
| HIPAA — BAA-eligible single-tenant deployment | Enterprise tier |
| SOC 2 Type I report | Q3 2026 target |
| SOC 2 Type II report | Q2 2027 target |
| ISO 27001 certification | Q4 2026 target |
Data protection
5 controls
| Control | Status |
|---|---|
| AES-256-GCM at rest, TLS 1.2+ в transit | Implemented |
| Multi-tenant logical isolation across all stores (SQL + Qdrant + blob) | Implemented |
| PHI / PII redactor at ingest (Med + Legal verticals) | Implemented |
| EU-only residency (Microsoft Azure West/North Europe) | Implemented |
| Customer data excluded from model training pipeline (contractual + technical) | Implemented |
Identity
4 controls
| Control | Status |
|---|---|
| Argon2id password hashing, configurable per-tenant password policy | Implemented |
| SAML SSO integration | Enterprise tier |
| Role-based access control (RBAC) с per-tenant roles | Implemented |
| Audit log of admin actions (login, role change, data export) | Implemented |
Network
4 controls
| Control | Status |
|---|---|
| TLS 1.2+ enforced on every endpoint; HSTS preload | Implemented |
| Cloudflare WAF в front of every host | Implemented |
| Per-tenant API rate limiting (60-6000 RPM по tier) | Implemented |
| DDoS mitigation via Cloudflare upstream | Implemented |
Observability
4 controls
| Control | Status |
|---|---|
| Sentry — every backend service emits structured errors с PII scrubbing | Implemented |
| Per-tenant audit log export | Enterprise tier |
| Real-time uptime dashboard (status.slatech.ai) | Implemented |
| Synthetic transaction monitoring (5-minute cadence) | Implemented |
Operations
4 controls
| Control | Status |
|---|---|
| GitOps deploy pipeline (audited via GitHub Actions) | Implemented |
| Pre-deploy smoke tests + post-deploy QA harness | Implemented |
| Database backups (daily, 35-day retention) | Implemented |
| Point-in-time recovery (last 24 hours) | Implemented |
Vulnerability mgmt
4 controls
| Control | Status |
|---|---|
| Dependabot — automated dependency updates on production branch | Implemented |
| GitHub CodeQL static analysis на every PR | Implemented |
| External penetration test (annual) | Q4 2026 target |
| Coordinated vulnerability disclosure policy | Published below |
Disclosure policy
Coordinated vulnerability disclosure
Report vulnerabilities к [email protected]. PGP key available on request. Our service-level commitments:
- Acknowledgement within 24 hours of receipt
- Status update within 72 hours с triage assessment
- Full triage within 7 days
- Coordinated disclosure timeline default 90 days, negotiable
We do not bring legal action against good-faith security research conducted within the bounds of this policy. We will publicly credit researchers (or anonymise on request) on closed reports.
FAQ
Procurement questions, answered
Microsoft Azure West/North Europe — EU-only by default. No data residency negotiation at signup. Enterprise tier offers single-tenant deployment for buyers требующих strict data isolation.
The Medical and Legal verticals ship an ingest-time redactor that masks Israeli national IDs, EU phone formats, medical record numbers и similar tokens before any LLM call. The redactor runs in EU infrastructure; only the masked text reaches sub-processors (all governed by SCC 2021/914).
Type I report targeted for Q3 2026; Type II следующий quarter (Q2 2027). Until then, the operational controls listed на this page are independently auditable on request. ISO 27001 certification targeted for Q4 2026.
Report vulnerabilities к [email protected] (PGP key available on request). We acknowledge within 24 hours, provide а status update within 72 hours, и aim для full triage within 7 days. Coordinated disclosure timeline is 90 days unless mutually agreed otherwise.
An external pen-test report runs annually (next: Q4 2026). The executive summary ships к Enterprise customers under NDA. Detailed findings are available к buyers procuring above €50k ACV after NDA execution.
Yes — SAML SSO ships в the Enterprise tier с support для Okta, OneLogin, Azure AD, Google Workspace. SCIM provisioning is on the roadmap for Q1 2027.
Need а custom controls walkthrough?
Enterprise procurement teams get а 60-min security questionnaire walkthrough on request.