Security & Compliance

Last Updated: February 18, 2026

1. Security Architecture

SecurePoint USA implements security controls to protect your data:

• TLS 1.2+ in transit; provider-managed encryption at rest (Supabase storage/Postgres)
• Multi-tenant architecture with database RLS enforcing organization isolation
• Role-based access control (RBAC) with org-scoped roles; MFA support configurable per organization
• Formal penetration testing report not yet available
• Structured logging with monitoring integrations (Datadog/Logflare) available; alerting coverage in progress

2. Data Protection

We protect your data through multiple layers of security:

• Provider-managed encryption at rest for database and storage
• TLS 1.2+ encryption in transit via Vercel Edge Network
• Key management and rotation handled by cloud providers (Supabase/AWS)
• Photo/ID retention policies configurable per organization; legal holds supported
• Backups and recovery procedures documented in the business continuity plan

3. Access Controls

Access controls are designed to ensure only authorized personnel can access your data:

• Multi-factor authentication (MFA) available via Supabase Auth; enforcement configurable per organization for admin/compliance roles
• Role-based access control (RBAC) with org-scoped roles and permissions
• Single sign-on (SSO) support for Microsoft Azure AD (OAuth)
• Session timeout and account lockout controls configurable per organization; server-side checks enforce timeout/lockout
• Audit logging for authentication and key actions (login, screening, exports)

4. Compliance Certifications

We align controls with industry standards and regulations:

• SOC 2 Type II controls mapping in progress; no certification report available
• ISO 27001 readiness and policy alignment in progress; certification not yet complete
• Privacy rights (GDPR/CCPA) described in our Privacy Policy and DPA; requests handled via support
• CMMC Level 2 control mapping in progress; no assessment report available
• ITAR-ready workflow flags configurable per organization and site

4.1 Certification Timelines (In Progress)

When we state a certification or assessment is in progress, we publish target milestones to help customers evaluate implementation risk. Timelines below are targets and may change based on auditor scheduling, scope, and remediation findings.

For supporting documentation (control mappings, evidence summaries, and vendor security packet), contact security@securepointusa.com.

5. Infrastructure Security

Our infrastructure is designed for security and reliability:

• Cloud infrastructure hosted on Vercel (edge) and Supabase (Postgres/Auth/Storage)
• Security headers configured in Next.js (CSP, HSTS, and related headers)
• Dependency updates performed manually; automated vulnerability scanning planned
• Disaster recovery and business continuity procedures documented

6. Monitoring and Incident Response

We maintain security monitoring and incident response procedures:

• Monitoring integrations with Datadog/Logflare available; automated alerting in progress
• Threat detection supported by structured logging and error events; automated response planned
• Incident response procedures documented in runbooks
• Vulnerability management policy documented; automated dependency scanning planned

7. Third-Party Security

Vendor onboarding and review processes are documented, including security documentation collection for critical vendors. Reviews follow the vendor management runbook and recorded evidence standards.

8. Security Reporting

To report security vulnerabilities or concerns, contact us at: