PartnerAZ Security & Trust

Enterprise-grade security with privacy-by-design architecture. Our comprehensive security posture protects your data with SOC 2 compliance, advanced encryption, and robust access controls.

SOC 2 (in progress)
ISO 27001 (in progress)
GDPR/PIPEDA aligned
PCI‑DSS via processor
Report a Vulnerability

security@partneraz.com (PGP available on request)

Our Security Posture at a Glance

Encryption

TLS 1.2+ in transit; AES‑256 at rest

Identity & Access

SSO/OIDC (Google/Microsoft), enforced MFA, least‑privilege RBAC

Data Minimization

Only fields required for matching; PII is optional and scoped

Backups & DR

Point‑in‑time backups; RPO ≤ 24h, RTO ≤ 12h

Monitoring

Centralized logs, anomaly alerts, WAF/Rate‑limit on all endpoints

Compliance

SOC 2 Type I (Q2), Type II (Q4); ISO 27001 pilot; HIPAA‑lite controls

Data Handling & Privacy

Data Residency

Primary region: Canada; failover: U.S. (no failover without client consent for regulated data)

Data Segregation

Tenant‑scoped row‑level security; vendor/buyer workspaces logically isolated

Retention & Deletion

Default 18‑month retention for app submissions; hard delete within 30 days of request

Sub‑processors

Cloud hosting, email delivery, observability—listed on /security/subprocessors with change notice ≥ 30 days

Data Protection

DPAs available on request; SCCs for cross‑border transfers

Application Security

Secure SDLC

Threat modeling on new features; automated SAST/DAST on each PR; dependency scanning with pinned versions

Secrets Management

Managed KMS; no secrets in source; short‑lived tokens only

Input Safety

Server‑side validation, allow‑lists, output encoding; file uploads virus‑scanned; PDF/image content‑type locked

Rate‑limiting & Abuse

Per‑IP and per‑account throttles; bot detection on public forms

Vulnerability Management

CVE triage SLA—Critical 24h, High 72h, Medium 14d, Low 30d

Pentesting

Annual third‑party test (summary posted); re‑test after major releases

Specialized Security Areas

AI Safety & Data Use
  • Never train foundation models on customer PII
  • Every score shows feature weights
  • Prompt/response filters with audit trail
Payments & Financial
  • PCI‑DSS Level 1 provider for card data
  • PartnerAZ servers never see raw PAN
  • Compliant payment processor (KYC/KYB)
Infrastructure
  • Private subnets with SG allow‑lists
  • Minimal base images, non‑root containers
  • Encrypted snapshots with quarterly drills
Incident Response
  • 24×7 on‑call; 1 hour triage for Sev‑1
  • Notification within 72h of data incident
  • Post‑mortem within 10 business days

Security Roadmap (Quarterly)

Q1
  • SOC 2 Type I audit
  • Organization-wide MFA
  • Access review automation
  • Secrets rotation policy v1
Q2
  • Data‑retention controls in‑product
  • Customer‑managed keys (enterprise)
  • First external pen‑test
  • Breach‑simulation tabletop
Q3
  • SOC 2 Type II observation starts
  • Private bug‑bounty
  • IP allow‑lists
  • Bring‑your‑own‑SAML
Q4
  • ISO 27001 readiness
  • Field‑level encryption for sensitive objects
  • Fine‑grained audit exports

Frequently Asked Questions

Do you process PHI?

No; our healthcare discovery avoids ePHI. If a tenant needs PHI, we'll require a HIPAA BAA and segregated stack.

Can you sign a DPA/SCCs?

Yes, we provide Data Processing Agreements and Standard Contractual Clauses upon request.

Can I choose data region?

Enterprise plan can pin to CA or EU with no cross‑region replication.

Security Questions?

Have specific security, compliance, or data protection questions? Our security team is here to help.