ENTERPRISE-GRADE SECURITY

Security & Compliance

Built for government, healthcare, and finance. SOC 2 in progress, GDPR compliant.

SOC 2 Type II Compliance

In Progress - Expected Q2 2026

We are actively working towards SOC 2 Type II certification, the gold standard for security compliance. Our audit is underway with an independent third-party auditor.

Enterprise customers can request our current security documentation and pre-audit reports.

Encryption

TLS 1.3 encryption in transit
AES-256 encryption at rest (AWS SSE-S3)
Encrypted database connections
Encrypted backups

Authentication & Access

Multi-factor authentication (MFA)
SSO / SAML integration (Enterprise)
Role-based access control (RBAC)
Per-contract permissions

Data Protection

Automated daily backups (30-day retention)
Point-in-time recovery (7 days)
Multi-org data isolation
Automatic backup testing

Infrastructure Security

Rate limiting on all endpoints
DDoS protection via Vercel
AWS infrastructure security
Private S3 buckets (no public access)

Compliance & Standards

GDPR

Fully compliant with EU General Data Protection Regulation

CCPA

California Consumer Privacy Act ready

HIPAA

HIPAA-ready infrastructure (BAA available for Enterprise)

Audit Logging & Compliance

Complete audit trail for regulatory compliance (FedRAMP, NIST, SOX, FISMA):

All user actions logged with timestamps
Contract modifications tracked
File access and downloads logged
Permission changes audited
Export audit logs for compliance reporting
Tamper-proof log storage

Third-Party Security

We carefully vet all third-party services (subprocessors) and ensure they meet our security standards. All subprocessors are SOC 2 compliant and have signed data processing agreements.

View Complete Subprocessors List →

Security Practices

Regular security audits - Quarterly penetration testing and vulnerability assessments
Dependency scanning - Automated scanning for vulnerable dependencies
Security training - All team members receive security awareness training
Incident response plan - 24-hour notification for security incidents
Bug bounty program - Coming Q1 2026

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly:

Email: security@retaineriq.app

We commit to responding within 24 hours and will work with you to address the issue. Please do not publicly disclose vulnerabilities until we've had a chance to fix them.

We appreciate responsible disclosure and may offer rewards for valid security reports (bug bounty coming Q1 2026).

Enterprise Trust Pack

Enterprise customers get access to additional security documentation and guarantees:

99.9% Uptime SLA

Data Processing Agreement (DPA)

Business Associate Agreement (HIPAA)

Security questionnaire responses

Penetration test reports

SOC 2 reports (when available)

View SLA →View DPA →Contact Sales

Questions about our security practices?

security@retaineriq.app

Security Practices

Regular security audits - Quarterly penetration testing and vulnerability assessments

Dependency scanning - Automated scanning for vulnerable dependencies

Security training - All team members receive security awareness training

Incident response plan - 24-hour notification for security incidents

Bug bounty program - Coming Q1 2026

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly:

Email: security@retaineriq.app

We commit to responding within 24 hours and will work with you to address the issue. Please do not publicly disclose vulnerabilities until we've had a chance to fix them.

We appreciate responsible disclosure and may offer rewards for valid security reports (bug bounty coming Q1 2026).