Security
Built for the security review.
Every question your CIO or security officer is going to ask, answered on a public page. SOC 2 Type II, SAML SSO, SCIM, audit log, CMEK, quarterly pen-test, public subprocessor list. This is the spec; we put it on the open web so the diligence cycle is two days instead of two weeks.
Compliance
SOC 2 Type II audited annually. GDPR + CCPA compliant. PCI-DSS scoped (we don't store card data; Stripe owns it). Public-bid government contracts supported via Enterprise tier.
Encryption
AES-256 at rest (Postgres database + Supabase Storage). TLS 1.3 minimum in transit. Customer-managed keys (CMEK) available on request for Enterprise tier.
Access control
SAML SSO via Okta, Azure AD, Google Workspace, JumpCloud, OneLogin. SCIM provisioning (push + pull). Resource-level RBAC. JIT provisioning. Audit log retention up to unlimited.
Infrastructure
Multi-region active-active deployment on Vercel + Supabase. AWS us-east-1 + us-west-2 default. EU data residency available on request. Database replication + automated backup every 6h.
Reliability
99.95% uptime SLA on Enterprise (99.9% on Pro). Public status page with full incident history. SLA credits applied automatically when missed. DR tested quarterly.
Vulnerability disclosure
Coordinated disclosure with a 90-day patch window. Researchers contact security@integrateit.tech. Bug bounty in pilot for Q3 2026 launch. Pen-test every quarter (Bishop Fox).
The full spec
Twenty answers, on the record.
Each row is a question we've actually been asked by a security team in diligence. The answers don't move — if they did, we'd version this page.
| SOC 2 Type II | Audited annually · report available under NDA |
| Encryption at rest | AES-256 (Postgres + Supabase Storage) |
| Encryption in transit | TLS 1.3 minimum, perfect-forward-secrecy |
| Customer-managed keys (CMEK) | Available on Enterprise · key rotation supported |
| SAML SSO | Okta · Azure AD · Google Workspace · JumpCloud · OneLogin · generic SAML 2.0 |
| SCIM provisioning | Push + pull · JIT user creation · group sync |
| Role-based access control | Resource-level · per-tenant · custom roles on Enterprise |
| Multi-factor authentication | TOTP · WebAuthn · enforced for admin roles |
| Audit log retention | 90 days (Pro) · unlimited (Enterprise) |
| Data residency | US-East / US-West default · EU available on request |
| Data export | Self-serve CSV + JSON · no exit fee |
| Data deletion | Immediate on request · GDPR Article 17 honored |
| Backup cadence | Continuous WAL + 6-hour full snapshots, 30-day retention |
| Disaster recovery | RPO 6h · RTO 4h · tested quarterly |
| Uptime SLA | 99.9% (Pro) · 99.95% (Enterprise) · credits automatic |
| Penetration testing | Quarterly third-party (Bishop Fox) · summary available under NDA |
| Vulnerability disclosure | Coordinated · 90-day patch window · security@integrateit.tech |
| Subprocessors | Vercel · Supabase · Anthropic · OpenAI · Stripe · published list |
| PII handling | Field-level encryption · access logged · minimal retention |
| PCI scope | Out-of-scope (Stripe handles payment data exclusively) |
Subprocessors
Every vendor that touches your data.
Published in full. Customers are notified by email 30 days before we add or replace any subprocessor on this list.
| Vercel | Application hosting + edge compute |
| Supabase | Postgres database + Storage + Auth |
| Anthropic | Primary LLM (Optimus AI agent) |
| OpenAI | Fallback LLM |
| Stripe | Billing + payment processing (PCI scope) |
| Resend | Transactional email |
| Twilio | SMS + voice notifications |
| Bishop Fox | Penetration testing + security audit |
Incident response
What happens when something goes wrong.
Public status page. Per-incident root-cause analysis published within 5 business days. SLA credits applied automatically. Customer communication cadence: detection within 5 min, customer email within 30 min, full RCA within 5 business days.
- Detect
Pagerduty alert + on-call engineer engaged
≤ 5 min
- Notify
Status page updated + affected customers emailed
≤ 30 min
- Resolve
Service restored to baseline
≤ 4 h (SLA)
- RCA
Root-cause analysis published, remediation owners assigned
≤ 5 days
Pass the diligence in two days, not two weeks.
We answer security questionnaires in 48 hours and have SIG / CAIQ responses pre-filled.