Our Security ProgramSecurity is our product.
Security is our product.
It's also our practice.
Auditerra applies every capability we sell to our own infrastructure, people, and data. Here's exactly how we do it.
Independent Verification of Our Security Program
Every certification is independently assessed and available in our Trust Center.
🔒
SOC 2 Type II
Audited annually by independent CPA
Certified ✓🌐
ISO 27001:2022
ISMS certified · 93 Annex A controls
Certified ✓🏥
HIPAA
Covered entity & BA obligations met
Certified ✓💳
PCI-DSS SAQ-D
Payment data security validated
Certified ✓🇪🇺
GDPR
EU data protection obligations met
Certified ✓☁️
Infrastructure Security
✓
Hosted on AWS with multi-region failover and 99.99% uptime SLA✓
Infrastructure as Code (Terraform) — all changes peer-reviewed and scanned✓
Continuous vulnerability scanning via AWS Inspector and third-party tools✓
Cloud Security Posture Management (CSPM) with automated misconfiguration alerts✓
DNSSEC enabled across all domains to prevent spoofing✓
DDoS protection via AWS Shield Advanced and WAF rule sets🔒
Data Security & Privacy
✓
AES-256 encryption at rest for all customer data✓
TLS 1.3 enforced for all data in transit✓
Zero Trust network architecture — no implicit access✓
Strict role-based access control (RBAC) with least privilege enforcement✓
Annual third-party penetration testing with public summary available✓
Formal data retention and deletion policy with customer-controlled export💻
Application Security
✓
SAST and DAST scanning integrated into every CI/CD pipeline run✓
Dependency vulnerability scanning with automated remediation alerts✓
Credential scanning prevents accidental secrets exposure✓
Secure coding training for all engineers (OWASP Top 10)✓
Web Application Firewall (WAF) blocking latest threat signatures✓
All code changes require peer review before merge — no force-push to main📱
Device & Endpoint Security
✓
All devices enrolled in Mobile Device Management (MDM)✓
Full-disk encryption required on all corporate endpoints✓
Automatic OS and security patching within 72-hour window✓
Endpoint Detection & Response (EDR) deployed to all corporate devices✓
MFA enforced for all internal systems and third-party SaaS tools✓
Remote wipe capability for lost or compromised devices⚡
Availability & Business Continuity
✓
99.9% uptime SLA with real-time status at status.auditerra.io✓
Multi-region active-active AWS deployment with automated failover✓
Daily encrypted backups with point-in-time recovery capability✓
Business Continuity Plan tested semi-annually✓
Disaster Recovery procedures with < 4-hour RTO✓
Incident response team on-call 24/7 with escalation runbooks🚨
Incident Response & Disclosure
✓
Formal Incident Response Plan aligned to NIST SP 800-61✓
Customer notification within 72 hours of any confirmed breach✓
Security incident log maintained and reviewed quarterly✓
Responsible vulnerability disclosure policy✓
Bug bounty program for security researchers✓
Post-incident root cause analysis published for material incidentsOur Sub-Processors
All sub-processors are annually assessed and bound by data processing agreements.
Amazon Web Services
Cloud Infrastructure
Cloudflare
CDN & DDoS Protection
Stripe
Payment Processing
Okta
Identity & Access Management
Datadog
Monitoring & Logging
Twilio SendGrid
Transactional Email
Jira / Atlassian
Issue Tracking
GitHub
Source Code Management
PagerDuty
Incident Management
Tenable.io
Vulnerability Scanning
CrowdStrike
Endpoint Detection & Response
Vanta
Compliance Monitoring
🐛
Responsible Disclosure
Found a security vulnerability? Report it to security@auditerra.io with a detailed description, steps to reproduce, and potential impact assessment.
Report a Vulnerability →🏛️
Auditerra Trust Center
Self-serve access to compliance certifications, security policies, penetration test summaries, and sub-processor list — no NDA required for most documents.
Visit Trust Center →