How we protect
your data.
SICenter processes security-sensitive data on your behalf. This page describes the controls we have in place.
Data handling
All persistent data is encrypted at rest using AES-256. Key management is handled by the infrastructure layer; keys are rotated on a regular schedule and are never stored alongside the data they protect.
All data in transit — between your browser and SICenter's servers, between our services, and between our services and third-party APIs — is encrypted using TLS 1.3. We reject connections that negotiate older protocol versions. Certificate pinning is enforced on server-to-server calls where the endpoint is under our control.
Scan results, findings, and asset metadata are stored in a multi-tenant database. Each row is tagged with an organization ID. Application-level queries include an organization ID predicate on every read and write; the database layer enforces row-level security policies as a second check. A query from one tenant cannot return rows belonging to another.
Tenant isolation
Every API request — REST and MCP — is authenticated against a bearer token that resolves to a specific organization. The middleware layer extracts the organization ID from the token and attaches it to the request context before any handler executes.
Scope assertions are enforced at the API boundary. Asset lookup, scan dispatch, and finding queries all verify that the requested resource belongs to the authenticated organization. Requests for out-of-scope resources return a 403 rather than a 404 to prevent enumeration.
Background workers — scan runners, discovery jobs, notification dispatchers — receive their organization context from the job payload and validate it before execution. A misconfigured job payload results in a job rejection rather than cross-tenant data access.
Secrets management
Integration credentials (API keys, OAuth tokens, webhook signing secrets) are stored in encrypted columns. The encryption key is separate from the database encryption key and is stored in a secrets manager with access logging and key-rotation support.
MCP tokens are displayed to the user exactly once at creation time and are not stored in recoverable form thereafter. The stored value is a salted hash used only for validation. If a token is lost, it must be revoked and a new one issued.
Environment variables containing sensitive configuration are never logged. Log scrubbing middleware strips any string matching common secret patterns (API key formats, JWTs, bearer tokens) from log output before it is written to the log aggregator.
Audit logging
Every privileged action — authentication events, API key creation and revocation, scan dispatch, finding status changes, integration configuration — is written to an append-only audit log. The log records the actor identity, the action, the affected resource, a timestamp, and the source IP.
Audit log records are retained for the duration set by your plan tier. Enterprise plans retain logs for one year. The audit log is exported via the REST API and can be streamed to a SIEM of your choice using the signed webhook integration.
Log entries are immutable after write. The infrastructure does not provide a delete endpoint for audit records; retention-based deletion is automated and cannot be triggered by application-layer API calls.
Vulnerability disclosure
We welcome responsible disclosure of security vulnerabilities affecting SICenter. If you discover an issue, please email security@sicenter.io. We will acknowledge your report within two business days and provide a timeline for remediation.
We ask that you do not disclose the vulnerability publicly until we have had a reasonable opportunity to remediate it. We commit to resolving critical issues within 30 days and providing you with credit in our disclosure notice if you wish.
Out-of-scope items include denial-of-service attacks, social engineering, attacks against physical infrastructure, and findings from automated scanners submitted without manual verification.
SOC 2 Controls
We map our day-to-day engineering controls to the AICPA SOC 2 Trust Service Criteria so security buyers can evaluate fit before a long questionnaire round-trip. SICenter has not yet completed a Type II audit; this matrix describes the controls we operate continuously.
| TSC | Control | Evidence |
|---|---|---|
| CC6.1 | Logical access — least privilege. | Per-org row-level security on every table. Service-role bypass restricted to backend functions; the dashboard never holds service credentials. |
| CC6.1 | Authentication. | Email/password with bcrypt hashing. SSO via SAML 2.0 with signature, audience, and 5-minute replay validation. Session cookies httpOnly + Secure + SameSite=Lax. |
| CC6.6 | Encryption in transit. | TLS 1.2+ enforced on every domain (HSTS preload). Internal service-to-service calls run over TLS via Vercel/Insforge edge. |
| CC6.7 | Encryption at rest. | Postgres encrypted with AES-256 (Insforge-managed). Per-integration secrets re-encrypted by SICenter using AES-256-GCM with envelope keys before storage. |
| CC7.2 | Continuous monitoring. | Audit log captures every MCP/REST tool call, scope denial, rate-limit event, and integration delivery. Read-only viewer at /dashboard/audit. |
| CC7.3 | Vulnerability management of our own assets. | We dogfood SICenter — every commit triggers a scan against sicenter.io. CVE feeds (NVD, EPSS, CISA KEV) refreshed hourly via cron. |
| CC7.4 | Incident response. | Severity-based pager via PagerDuty integration. Vulnerability disclosure at security@sicenter.io with 2-business-day acknowledgement, 30-day SLA on critical issues. |
| CC8.1 | Change management. | Every code change goes through PR review on GitHub. Builds run TypeScript strict checks, ESLint, and 588+ vitest tests before any deploy. |
| CC9.2 | Vendor management — SSRF prevention. | All outbound HTTP from user-supplied URLs (webhooks, ServiceNow) passes through assertPublicHost — DNS-resolves the target and rejects RFC 1918 ranges, 169.254.x.x, 127.0.0.0/8, ::1, link-local, and rebinding attempts. |
| P1.1 | Privacy — data minimization. | Free scans hash IPs before persistence. No third-party analytics that share user data. No tracking cookies on marketing pages. |
| A1.2 | Availability — backups. | Insforge-managed Postgres takes daily snapshots with PITR (point-in-time-recovery). Vercel deployments are immutable and atomic; rollback is one CLI command. |
| PI1.1 | Processing integrity — webhook signing. | All outbound webhooks signed with HMAC-SHA256 in Stripe-style v1 scheme. Constant-time signature verification on inbound (Jira, etc.). Replay window 5 minutes. |
Need a security questionnaire response or vendor risk assessment? Email security@sicenter.io and we'll respond within one business day.