Secureframe Main | Trust Center
Secureframe Trust Center
At Secureframe, our business is in helping organizations achieve and maintain compliance, so we understand that the confidentiality, integrity, and availability of your information are crucial. This page is designed to provide you with transparency and information about how we handle your data, the measures we take to safeguard it, and our compliance with relevant regulations and industry standards.
See section

Monitoring

Continuously monitored by Secureframe
View all

Subprocessors

Amazon Web Services, Inc.

Hosting / Cloud Platform.sale

Data location: United States / London

Catamorphic Co. (LaunchDarkly)

Feature Flag Management

Data location: United States

FiveTran

Data Pipeline ETL

Data location: United States

Functional Software, Inc. (Sentry)

Error tracking and resolution

Data location: United States

OneSchema

Data Import Structuring

Data location: United States

OpenAI

AI-Powered Product Features

Retool, Inc.

Customer Provisioning and Administration

Sigma Computing, Inc.

Data Analytics & Visualization

Talend

Data Pipeline ETL

View all

Compliance

ISO 27001

GDPR

SOC 2 Type 2

CCPA

Framework

Resources

ISO 27001 certificate

Secureframe's Subprocessors

Data Processing Addendum

Privacy Policy

Terms of Service

SOC2 Report

FedRAMP 20x Authorization Data

SOC2 Report 2025

New Resource

FAQs

Here is the answer.
Here is the answer.
Here is the answer.
Here is the answer.
Here is the answer.
Here is the answer.

Custom section title

Custom section description

Authorized Resources

Protected

New Resource

Monitoring

Change Management

Segregation of Environments
Development, staging, and production environments are segregated.
Configuration and Asset Management Policy
A Configuration and Asset Management Policy governs configurations for new sensitive systems
Software Change Testing
Software changes are tested prior to being deployed into production.

Availability

Backup Restoration Testing
Backed-up data is restored to a non-production environment at least annually to validate the integrity of backups.
Automated Backup Process
Full backups are performed and retained in accordance with the Business Continuity and Disaster Recovery Policy.
Business Continuity and Disaster Recovery Policy
Business Continuity and Disaster Recovery Policy governs required processes for restoring the service or supporting infrastructure after suffering a disaster or disruption.

Incident Response

Lessons Learned
After any identified security incident has been resolved, management provides a "Lessons Learned" document to the team in order to continually improve security and operations.
Incident Response Plan Testing
The Incident Response Plan is periodically tested via tabletop exercises or equivalents. When necessary, Management makes changes to the Incident Response Plan based on the test results.

Organizational Management

Information Security Program Review
Management is responsible for the design, implementation, and management of the organization’s security policies and procedures. The policies and procedures are reviewed by management at least annually.
Background Checks
Background checks or their equivalent are performed before or promptly after a new hires start date, as permitted by local laws.
Independent Advisor
The board of directors or equivalent entity function includes senior management and external advisors, who are independent from the company's operations. An information security team has also been established to govern cybersecurity.
Performance Reviews
Internal personnel are evaluated via a formal performance review at least annually

Vulnerability Management

Third-Party Penetration Test
A 3rd party is engaged to conduct a network and application penetration test of the production environment at least annually. Critical and high-risk findings are tracked through resolution.

Risk Assessment

Risk Register
A risk register is maintained, which records the risk mitigation strategies for identified risks, and the development or modification of controls consistent with the risk mitigation strategy.
Risk Assessment
Formal risk assessments are performed, which includes the identification of relevant internal and external threats related to security, availability, confidentiality, and fraud, and an analysis of risks associated with those threats.

Network Security

Endpoint Security
Company endpoints are managed and configured with a strong password policy, anti-virus, and hard drive encryption

Access Security

User Access Reviews
System owners conduct scheduled user access reviews of production servers, databases, and applications to validate internal user access is commensurate with job responsibilities.
Encryption-in-Transit
Service data transmitted over the internet is encrypted-in-transit.
Unique Access IDs
Personnel are assigned unique IDs to access sensitive systems, networks, and information
Access to Product is Restricted
Non-console access to production infrastructure is restricted to users with a unique SSH key or access key
Encryption-at-Rest
Service data is encrypted-at-rest.

Communications

Communication of Critical Information
Critical information is communicated to external parties, as applicable.
Privacy Policy
A Privacy Policy to both external users and internal personnel. This policy details the company's privacy commitments.
Communication of Security Commitments
Security commitments and expectations are communicated to both internal personnel and external users via the company's website.
Description of Services
Descriptions of the company's services and systems are available to both internal personnel and external users.
Terms of Service
Terms of Service or the equivalent are published or shared to external users.