SLAIQ Trust Center
Security, compliance, and privacy documentation for enterprise customers evaluating SLAIQ. We believe in radical transparency about how we protect your most sensitive business data.
Certifications & Compliance
Independent verification of our security and privacy practices.
SOC 2 Type II
CertifiedSLAIQ is currently undergoing SOC 2 Type II audit covering Security, Availability, Confidentiality, and Privacy Trust Service Criteria. Report expected upon completion of the audit cycle.
Scope: Trust Service Criteria: Security (CC), Availability (A1), Confidentiality (C1), Privacy (P)
Cadence: Annual audit cycle
Access: Full report available to customers under NDA
ISO 27001
AlignedSLAIQ's information security management system is aligned with ISO/IEC 27001:2022 requirements across all 11 Annex A control domains relevant to our services.
Scope: ISMS covering development, operations, cloud infrastructure, and data processing
Cadence: Continuous improvement cycle
Access: Controls mapping available to Enterprise customers
GDPR
CertifiedSLAIQ operates under full GDPR compliance with EU data residency by default, documented legal bases for all data processing, and Data Processing Agreements available for all customers.
Scope: All EU personal data processing. EU Standard Contractual Clauses for international transfers.
Cadence: Continuous compliance
Access: DPA available to all customers on request
Security Architecture
Every layer of SLAIQ is designed with security as a first-class requirement.
Encryption at Rest
AES-256 for all stored data. Credentials AES-256-CBC. Passwords bcrypt (12 rounds). Database encryption at filesystem level.
Encryption in Transit
TLS 1.3 enforced. HSTS preload in production. Certificate auto-rotation. API communications encrypted end-to-end.
Data Isolation
Every query scoped by organizationId. Cross-tenant access architecturally impossible. No shared AI inference. Dedicated tenant namespacing.
Full Audit Trail
Every mutation logged with actor, timestamp, before/after state, and IP. Immutable. 90-day default retention. Exportable for compliance.
Access Control
9-role RBAC. MFA-ready. API key lifecycle management. Session management with HttpOnly cookies. Automatic expiry.
Continuous Monitoring
Real-time health checks. Structured JSON logging. Error tracking via Sentry. Rate limiting abuse detection. AI anomaly scoring.
Secure CI/CD
All changes via PRs. TypeScript strict mode. Automated security scanning (CodeQL). npm audit in pipeline. Signed Docker images.
EU Data Residency
Data stored in EU by default (eu-west-1). GDPR-compliant. Data processing agreements available. Right to deletion within 30 days.
SOC 2 Trust Service Controls
Detailed mapping of implemented controls for each Trust Service Criterion. Full SOC 2 Type II report available to customers under NDA.
CC6 — Logical and Physical Access Controls
9-role RBAC permission matrix. Every API endpoint enforces role checks. Session tokens encrypted (AES-256-CBC). HttpOnly, SameSite=Lax cookies. JWT with 30-day expiry.
bcrypt password hashing (12 rounds). NextAuth v5 credential validation. Google/Microsoft OAuth 2.0. TOTP MFA infrastructure ready (enable per-org). Forgot-password tokens expire in 1 hour.
API key revocation (bcrypt hash, key prefix retained for identification). Org member deactivation. Session invalidation. All revocations written to immutable audit log.
Every DB query scoped by organizationId from JWT session. No admin-level cross-org queries in application code. Separate permission strings for read/write/delete per resource type.
TLS 1.3 enforced for all connections. HSTS preload-ready in production. Certificate pinning available for Enterprise customers. API keys use Authorization header (never URL params).
File upload MIME type whitelist (PDF, DOCX, TXT, JPEG, PNG, WebP). 50MB size limit enforced. VirusScanStatus field tracks ClamAV/cloud AV integration. Dependency audit in CI pipeline.
CC7 — System Operations
Health check endpoint (/api/health) monitors database and Redis. Structured JSON logging via Winston. Sentry DSN for error tracking. AI request latency logged to ai_latency_logs table.
Every mutation (contract create/edit/delete, member invite, API key, billing change, integration connect) writes to audit_logs with userId, timestamp, before/after state, and IP address.
AiIncident model tracks AI system incidents. Alert system with CRITICAL/HIGH severity escalation. On-call workflow automation available. Incident response procedure documented.
CC8 — Change Management
All changes via Git pull requests. GitHub Actions CI/CD: lint → TypeScript → unit tests → build → Docker push. No direct production pushes. Prisma migration files tracked in version control.
CC9 — Risk Mitigation
Zod schema validation on all write endpoints. HMAC-SHA256 webhook signature verification with timestamp replay prevention. Rate limiting (Redis-backed per-IP per-endpoint). CORS restricted to same-origin. XSS sanitization (stripHtml) on all free-text inputs before storage.
Third-party integration credentials encrypted at rest (AES-256-CBC). Vendor list: Anthropic, OpenAI, Resend, PostgreSQL, Redis, MinIO. Data processing agreements available for all critical vendors.
A1 — Availability
Health check endpoint for load balancer integration. Redis failure degrades gracefully to in-memory fallback. BullMQ workers handle job queuing with retry logic. Docker health checks prevent traffic to unhealthy containers.
PostgreSQL connection pooling. Rate limiting prevents resource exhaustion. AI tenant quota management (ai_tenant_limits table). Horizontal scaling via Docker/ECS stateless architecture.
C1 — Confidentiality
All contract data classified as confidential. Row-level isolation: every table row has organizationId. Cross-tenant access returns 404 (not 403) to prevent enumeration. No shared AI processing — each tenant's data is isolated.
Integration credentials stored AES-256-CBC encrypted. Passwords stored as bcrypt hashes (12 rounds). API key raw values shown once then never stored. Session tokens use AES-256-CBC via Auth.js.
P — Privacy
GDPR-compliant data processing. EU data residency by default. Right to deletion via org deletion (soft-delete with 30-day recovery window). User data export available via API.
Contract data used only for the contracted purpose. No AI model training on customer data. No cross-tenant data analytics. Audit logs retained for 90 days by default (configurable).
ISO 27001:2022 Controls Alignment
SLAIQ's information security management system is aligned with ISO/IEC 27001:2022. Full controls mapping available to Enterprise customers.
Security policies documented. Reviewed annually. Applied to all engineering practices.
Security responsibilities defined per role. Segregation of duties enforced via RBAC. Remote work security policy in place.
Data assets classified. Contract data marked confidential. Asset register maintained. Cloud assets tagged and tracked.
Need-to-know access via 9-role RBAC. MFA-ready infrastructure. Privileged access reviewed quarterly. Access revocation within 24h of employee departure.
AES-256-CBC for credentials at rest. bcrypt (12 rounds) for passwords. TLS 1.3 in transit. Key management via environment variables (secrets manager in production).
Structured logging. Change management via CI/CD. Vulnerability management via npm audit + CodeQL. Capacity planning for database and Redis.
TLS 1.3 enforced. CSP headers. X-Frame-Options: DENY. CORS restricted. HSTS in production. API keys via Authorization header only.
Secure SDLC. Code review required. TypeScript static analysis. Automated security scanning (CodeQL). Dependency vulnerability checks in CI pipeline.
Incident response procedure. Severity classification (CRITICAL/HIGH/MEDIUM/LOW). Notification within 72h of confirmed breach (GDPR requirement). AiIncident model for tracking.
PostgreSQL daily backups. Multi-AZ database option for Enterprise. Stateless application containers enable rapid recovery. RTO < 4h, RPO < 24h documented.
GDPR data processing agreements available. Audit log for regulatory evidence. Privacy-by-design in data model. Legal basis for processing documented.
Responsible Disclosure Policy
We take security seriously. If you discover a vulnerability in SLAIQ, please report it to us privately before making it public. We commit to acknowledging all reports within 48 hours, providing status updates, and fixing confirmed vulnerabilities within 30 days.
security@slaiq.io →Need security documentation for your procurement team?
We provide SOC 2 Type II reports, ISO controls mapping, data processing agreements, and custom security questionnaire responses under NDA.