Trust Center
Transparency is part of how we earn customer confidence. This page summarizes how CypherEra protects data, operates our platform, and progresses on independent assurance—so your security and GRC teams can evaluate us with clarity.
CypherEra is working toward ISO 27001 and SOC 2 Type II compliance. We treat certification as an outcome of disciplined controls—not a checkbox—and we will publish attestations here as they become available.
2026 Q1
We are mapping controls, documenting policies, and closing gaps across people, process, and technology as we work toward ISO 27001 certification.
Our security program spans people, process, and technology—the same domains we help customers govern in the cloud. The practices below reflect how we run CypherEra day to day.
Workforce access flows through centralized identity with phishing-resistant multi-factor authentication. Production and development access use least privilege, short-lived credentials, and just-in-time elevation where administrative work is required.
Production workloads run on immutable, infrastructure-as-code managed environments. Changes pass through reviewed pipelines with automated policy checks; unauthorized drift is detected and escalated to engineering and security owners.
We operate CypherEra against our own estates to correlate cloud, identity, and code risk in one graph. Findings are prioritized by exploitability and blast radius so remediation focuses on paths that matter—not isolated scanner noise.
The SDLC includes peer review, dependency and secret scanning, container image analysis, and security sign-off for material features. Threat modeling and design reviews happen early when changes touch customer data or trust boundaries.
Employees complete recurring training on data handling, phishing, and secure engineering habits. Role-specific playbooks help support, sales, and engineering teams apply consistent practices in day-to-day work.
Security-relevant telemetry from corporate and production systems feeds centralized monitoring. Alerts route to on-call responders with defined runbooks; incidents are triaged, contained, and reviewed for corrective action.
Managed devices enforce encryption, patching, and endpoint detection. Mobile and application management policies reduce the risk of data loss from lost or compromised workstations.
We maintain a living risk register tied to product, infrastructure, and privacy obligations. Treatment plans track owners, timelines, and residual risk so leadership can make informed tradeoffs.
Vendors that process customer or sensitive data undergo proportionate security review before onboarding and on renewal. Contracts include confidentiality, subprocessors, and breach notification expectations.
We are working toward ISO 27001 and SOC 2 Type II compliance and engage qualified assessors for penetration testing and control validation. Findings feed back into engineering and policy updates on a defined cadence.
Data in transit uses modern TLS; data at rest is encrypted with cloud-native key management. Keys are not embedded in source code, and access to key material is restricted and audited.
We are happy to walk through controls, data flows, and our ISO 27001 and SOC 2 Type II roadmap with your security and procurement teams.
Talk to our team