Security isn't a page we bolted on. It's how we build. Third-party audits, public subprocessor list, 24-hour breach notification, and a security team that returns emails.
SOC 2 Type II attestation conducted by Prescient Assurance — a leading security and compliance attestation firm trusted by over 1,000 SaaS companies. Full attestation letter available under NDA — request via security@conduyt.app.
Download report →Information security management system certified for three years running.
View certificate →EU data residency, DPA, subject access requests. Named DPO on staff.
Request DPA →BAAs for Scale and Enterprise customers. Healthcare-safe configurations.
Request BAA →We organize our security program around five observable pillars — each with a VP-level owner and a quarterly review cadence.
AES-256 at rest. TLS 1.3 in transit. Envelope encryption with per-tenant keys, rotated every 90 days.
Zero-trust network. Just-in-time access for engineers. Every production action is logged, signed, and reviewed.
Multi-region AWS with Terraform-only changes. Immutable infra, peer-reviewed, CVE-scanned on every deploy.
Every PR gets static analysis, SCA, and peer review. Penetration tests twice yearly by external firms.
Background-checked. Annual security training. Offboarding is same-day. Named, on-call security lead 24/7.
RPO 15 minutes, RTO 4 hours. Cross-region replication. Quarterly disaster recovery drills — not hypothetical.
From request to storage, here's every layer your data touches — and what guards it.
Forward secrecy. TLS 1.2 deprecated. No cipher downgrades.
OWASP Top 10 blocked. Rate limiting per IP, per token.
Per-tenant DEK. Master key in HSM. Rotated every 90 days.
Every query scoped to tenant_id at the ORM layer. Auto-tested.
Public and updated whenever it changes. Customers are notified 30 days before any addition.
| Provider | Purpose | Data type | Location |
|---|---|---|---|
| Amazon Web Services | Primary infrastructure, storage, compute | All customer data | US-East-1 · EU-Central-1 · AP-Southeast-2 |
| Cloudflare | WAF, DDoS protection, DNS, edge caching | Request metadata | Global |
| Postmark | Transactional email delivery | Email addresses, content | US |
| Stripe | Billing & payment processing | Billing info (no card numbers) | US · EU |
| Linear | Internal engineering tickets | Support metadata (no PII) | US |
| Datadog | Observability, logs, metrics | System logs (PII redacted) | US · EU |
| Anthropic | AI summarization & drafting | Opt-in text content; not trained on | US |
| Segment | Product analytics (internal) | Aggregate usage events | US |
A real incident response playbook, not a marketing page. Every minute we commit to, we actually meet.
Automated monitoring fires. On-call security engineer paged via PagerDuty. Incident channel created.
Classify severity (SEV1–4). Isolate affected systems. Preserve evidence. Named incident commander assigned.
Engineering, security, leadership, and legal join the incident call. Status page updated. Customer communications drafted.
Direct email to affected customers' security contacts. Public status page updated. Authorities notified if required by jurisdiction.
If personal data was involved, supervisory authorities notified within 72 hours by law — we commit to 24.
Blameless RCA published on the status page. What happened, what we did, and what we're changing. No marketing copy.
We run a public bug bounty through HackerOne and pay for valid findings within 10 business days of triage. No legal threats, no retaliation, ever. We thank researchers publicly (with permission) in our hall of fame.
security@conduyt.app · PGP key belowNo forms, no "contact us" walls. Click and go — the procurement team loves us for it.
Direct line to our Head of Security — no forms, no SDR gating. Most questions are resolved in one email.