We're transparent about what's done, what's in flight, and what's on the roadmap. SOC 2 Type II and ISO 27001 are both currently in progress.
DPA available on request, EU data residency on Growth plan.
Subject access, deletion, and portability workflows.
Audit in progress. Report expected Q4 2026.
Stage 1 scheduled. Certification expected 2027.
In progress. We do not yet hold SOC 2 Type II or ISO 27001 certificates. If your procurement requires them today, contact us — we can share our audit roadmap, current controls evidence, and timelines.
TLS 1.2+ on every public endpoint with HSTS preload and modern cipher suites only.
AES-256 disk encryption for the database, backups, and storage buckets.
API keys hashed with SHA-256 before storage; prefix-only display after creation.
Postgres RLS policies enforce strict tenant isolation on every read and write.
Append-only records keyed to content hashes — no edits, no deletes, no exceptions.
Edge runtime with no long-lived servers, least-privilege IAM, automated patching.
Every admin action, key usage and policy change recorded with actor, IP and timestamp.
Pin tenants to EU or US regions on Growth — your data stays where you specify.
Security isn't only a feature checklist — it's how we hire, ship, and operate. These are the day-to-day practices behind the product.
All employees with production access pass background screening.
SSO + WebAuthn required for all staff; no shared credentials.
Production access is JIT-granted, reviewed monthly, and fully logged.
Sub-processors are reviewed annually; full list published below.
Annual third-party pentest with remediation SLAs.
security@termitude.com — we respond within 24h.
| Sub-processor | Location | Purpose |
|---|---|---|
| Managed cloud infrastructure | EU / USA | Application hosting, database, auth |
| Cloudflare | Global | Edge network, DDoS protection |
| Resend | USA | Transactional email delivery |
| Stripe | USA | Billing and payment processing |
| Intercom | USA | Personal data could be exchanged in help inquiries |
| Microsoft | EU / USA — as selected | Personal data contained in communications sent through or uploaded to the services. Use of Azure OpenAI in which personal data may be shared in prompts written by end users. |
| Equus Software | EU, USA, UK, Philippines | Equus subsidiaries may act as sub-processors for the provision of the services. |
| Mailgun | US (to move to EU) | Processing inbound and outbound email messages which may contain personal information. Data stored for 1 day then deleted. |