Trust Center
Savvy Security operates managed SOCs and delivers product engineering for clients. This page covers compliance posture, security practices, and third-party services we use. Last updated: July 13, 2026.
Compliance frameworks
HIPAA
CompliantBusiness Associate Agreements available. Savvy Security does not process PHI as a primary function but maintains HIPAA-aligned safeguards for healthcare clients on managed SOC and scoped development work.
GDPR
CompliantEU and UK data protection rights honored. Standard Contractual Clauses available for international transfers where required.
SOC 2 Type II
In ProgressSecurity, Confidentiality, and Availability trust principles. Control environment implemented across development delivery and SOC operations; formal Type II attestation in progress.
ISO 27001
In ProgressInformation security management system practices mapped to ISO 27001 controls. Certification pursued where client contracts require formal attestation.
Security practices
Encryption at Rest
All client application data encrypted with AES-256 via cloud provider key management. Databases, object storage, and compute volumes are encrypted by default.
Encryption in Transit
TLS 1.2+ enforced on all external connections. API endpoints, inter-service communication, and database connections are encrypted.
Scoped Source Code Access
Client repositories are accessed read-only via authorized integrations. Source code is used only for the scoped engagement and is not retained beyond contract terms unless the client requests otherwise.
Client Isolation
Strict organization-scoped access controls. Separate environments per client, scoped API credentials, and role-based access for dashboards and SOC tooling.
Access Control
MFA required for all infrastructure access. Least-privilege IAM policies. No shared credentials. Quarterly access reviews.
Audit Logging
Logging across cloud infrastructure and SOC platforms. Request-level trace IDs for application traffic. Analyst actions and case timelines retained for managed SOC engagements.
Incident Response
Documented incident response plan with defined procedures for detection, containment, client notification, and post-incident review. Escalation matrices agreed before SOC go-live.
Transparent SOC Operations
Managed SOC clients receive runbooks, escalation contacts, and case documentation, not opaque alert forwarding. Detection tuning and purple team findings feed back into measurable improvements.
Subprocessors
Savvy Security uses a limited set of third-party subprocessors to deliver our services. We evaluate each provider's security practices and maintain contractual data protection obligations with every subprocessor.
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, compute, storage, database, logging | Application data, SOC telemetry, scan and case findings, deployment artifacts, audit logs | US / EU (region-dependent) |
| Microsoft (Azure / Microsoft 365) | Cloud infrastructure and identity telemetry for SOC monitoring | Entra ID sign-ins, M365 audit logs, Azure control-plane events, security alerts | US / EU (region-dependent) |
| GitHub | Source control, CI/CD, and webhooks | Source code (client-authorized), commit metadata, workflow logs | US |
| Cloudflare | DNS, CDN, and edge security | Request routing metadata, static assets, WAF events | Global (edge) |
| Stripe | Payment processing | Billing information (name, email, payment method) | US |
| Sentry | Error monitoring | Error metadata, stack traces, request context | US |
| LLM API providers (engagement-specific) | AI-assisted features when explicitly scoped in the statement of work | Prompts and context supplied per feature, not used for model training | US / varies by provider |
To subscribe to subprocessor change notifications, contact your Savvy Security engagement lead.
Data handling
Source Code
Customer source code is accessed read-only via authorized GitHub integrations. Code is used only for the scoped engagement (development, review, and deployment) and is not sublicensed or reused across clients. Savvy Security does not modify, fork, or retain copies of customer repositories beyond what the contract permits.
Managed SOC Telemetry
For SOC clients, we process security telemetry (endpoint, identity, cloud, network, and email signals) solely to deliver monitoring, investigation, and response services. Data stays in client-designated or contractually agreed regions and tools. We do not sell, repurpose, or use telemetry to train models.
AI & Model Training
Customer data is never used to train, fine-tune, or improve any AI models. LLM inference is performed via API calls that do not retain input data. AI-assisted workflows are opt-in per project, documented in the statement of work, and designed to minimize data sent to inference APIs.
Data Retention & Deletion
Project deliverables, account data, and SOC case records are retained for the duration of the engagement and any agreed warranty or compliance window. Upon contract termination, all customer data is deleted or returned within 30 days unless law or the client requests a different schedule. Deletion requests can be made through your engagement lead.
See also our Privacy policy, Terms, and Ownership & IP.