Security & Compliance

How We Protect Your Data

AdverseMonitor runs under SOC 2 Type II controls, encrypts every byte in transit and at rest, and submits to annual independent penetration testing. Here's exactly how.

✓ Active
SOC 2 Type II Security · Availability · Confidentiality
✓ Active
GDPR EU data processor with DPA
✓ Active
HIPAA BAA available on request
✓ Active
TLS 1.3 All traffic encrypted in transit

Security Controls

Encryption in transit

TLS 1.2 minimum, TLS 1.3 preferred. HSTS enforced with preload. Certificates managed via automated renewal. No downgrade attacks possible.

Encryption at rest

AES-256 on all storage including databases, object storage, backups, and log archives. Encryption keys rotated per SOC 2 cadence and stored in dedicated KMS.

Access management

Principle of least privilege across all systems. Engineering access to production requires MFA and break-glass approval with time-bound sessions. All access logged immutably.

Secrets management

No secrets in source code. API keys, database credentials, and third-party tokens stored in dedicated secrets manager with rotation policies. Automated scanning blocks secret leaks at commit time.

Vulnerability management

Automated scanning of dependencies via GitHub Dependabot. Critical CVEs patched within 14 days, high within 30 days, medium within 90 days. Public vulnerability disclosure at [email protected].

Penetration testing

Annual independent penetration tests against the platform, API, and infrastructure. Executive summary available to customers under mutual NDA. Critical findings remediated within 30 days.

Incident response

24/7 on-call rotation for availability and security. Customer-impacting incidents disclosed within 72 hours under SLA. Root cause analysis published within 14 days. Status page at adversemonitor.com/status.

Data residency

US and EU data residency available on Defend plan. Data does not cross the boundary you select. Subprocessor list published and updated per GDPR requirements.

Backup and recovery

Daily automated backups with 30-day retention. Monthly restore drills verify recoverability. RPO 1 hour, RTO 4 hours for critical systems.

Employee security

Background checks on all employees with production access. Annual security awareness training with phishing simulations. Offboarding revokes access within 1 hour of separation.

Request Documentation

The following documents are available to customers and qualified prospects under mutual NDA:

  • SOC 2 Type II Report — current year, full 12-month coverage period
  • Penetration Test Executive Summary — latest annual third-party assessment
  • Data Processing Agreement (DPA) — GDPR Article 28 compliant
  • Business Associate Agreement (BAA) — HIPAA-covered entities
  • Information Security Policy — policy framework and control mapping
  • Subprocessor List — vendors handling customer data
  • Business Continuity and DR Plan — tested annually
Request Documentation

Report a Security Issue

If you believe you've found a security vulnerability in AdverseMonitor, we want to hear from you. We commit to:

  • Acknowledging your report within 24 hours
  • Providing initial triage within 72 hours
  • Keeping you informed of remediation progress
  • Not pursuing legal action against good-faith researchers

Email: [email protected]
PGP Key: available on request

Security FAQ

Is AdverseMonitor SOC 2 compliant?

Yes. We operate under SOC 2 Type II controls across Security, Availability, and Confidentiality. Annual audits conducted by an independent CPA firm. Current report available to customers under mutual NDA.

How is customer data encrypted?

TLS 1.2+ in transit, AES-256 at rest on all storage including databases, backups, and log archives. Encryption keys managed in dedicated KMS with rotation policies.

Who has access to customer data?

Principle of least privilege. Production access requires MFA and break-glass approval, is time-bound, and is logged immutably. No employee accesses customer alert content outside an approved incident response workflow.

Is AdverseMonitor GDPR and HIPAA compliant?

GDPR as data processor with DPA available for EU customers. HIPAA-covered customers on Protection and Defend plans can request a BAA. Data residency options on Defend plan.

How often do you conduct penetration testing?

Annual independent pen tests against platform, API, and infrastructure. Critical findings remediated within 30 days. Executive summary available to customers under NDA.

What is your incident disclosure policy?

Customer-impacting security incidents disclosed within 72 hours under SLA. Root cause analysis within 14 days. Status page tracks ongoing incidents at adversemonitor.com/status.