Trust & Compliance

Built for environments that cannot afford to guess.

This page covers our compliance posture, data handling, encryption model, subprocessors, and responsible disclosure. It is designed for procurement teams, security reviewers, and InfoSec leads doing due diligence.

What data we handle

✓ What stays in your environment
  • • Identity event payloads (who, what, when)
  • • Pre-state and post-state of target systems
  • • Evidence packs (written to your S3 bucket)
  • • Encryption keys (BYO-KMS, customer-held)
  • • All connector credentials and API tokens
What reaches SidentiQ control plane
  • • Policy evaluation requests (anonymised by default)
  • • Connector health telemetry
  • • Execution status signals
  • No raw identity data by default configuration

Encryption & key ownership

In transit

Mutual TLS (mTLS) on all connector traffic. Certificate pinning available for regulated deployments.

At rest

Evidence packs signed with ECDSA P-256, hash-chained with SHA-256. S3 Object Lock in Compliance Mode.

Key ownership

BYO-KMS: customer supplies and rotates their own KMS key. SidentiQ cannot read evidence without customer-provided key access.

Compliance posture

Framework Status Notes
SOC 2 Type II In preparation Controls designed to SOC 2 Trust Service Criteria. Formal audit engagement planned Q3 2026.
FedRAMP Not authorized Architecture informed by FedRAMP controls. Not authorized and does not claim authorization. Do not use for FedRAMP-in-scope workloads without independent review.
NIST 800-53 Rev.5 Aligned AC, AU, IA, and SI control families inform product design. Not independently assessed.
HIPAA Aligned Deployment patterns support HIPAA-aligned environments. BAA terms available for qualified deployments under signed agreement.
OWASP ASI Aligned AI-agent governance controls aligned to OWASP Agentic Security Initiative guidelines.

Compliance references describe alignment and readiness, not certification, unless stated in a signed customer artifact.

Subprocessors

Processor Purpose Data involved
Amazon Web Services Control plane hosting, evidence storage Customer-defined; evidence packs in customer-owned S3
Cloudflare CDN and DDoS protection for public site Public web traffic only — no identity data
Vulnerability disclosure

If you discover a security issue, email security@sidentiq.com with a description, reproduction steps, and your contact details.

We acknowledge within 2 business days and respond substantively within 10. Please allow reasonable time to investigate before public disclosure.

Security & procurement contact

For security review requests, architecture walkthroughs, NDA evaluation terms, or detailed control documentation:

Request security brief →

Evidence retention is customer-controlled. SidentiQ does not set or enforce retention periods. Customers configure S3 Object Lock and bucket lifecycle policies in their own AWS account.