Security & Compliance

Trust Center

Savvy Security operates managed SOCs and delivers product engineering for clients. This page covers compliance posture, security practices, and third-party services we use. Last updated: July 13, 2026.

Compliance frameworks

HIPAA

Compliant

Business Associate Agreements available. Savvy Security does not process PHI as a primary function but maintains HIPAA-aligned safeguards for healthcare clients on managed SOC and scoped development work.

GDPR

Compliant

EU and UK data protection rights honored. Standard Contractual Clauses available for international transfers where required.

SOC 2 Type II

In Progress

Security, Confidentiality, and Availability trust principles. Control environment implemented across development delivery and SOC operations; formal Type II attestation in progress.

ISO 27001

In Progress

Information security management system practices mapped to ISO 27001 controls. Certification pursued where client contracts require formal attestation.

Security practices

  • Encryption at Rest

    All client application data encrypted with AES-256 via cloud provider key management. Databases, object storage, and compute volumes are encrypted by default.

  • Encryption in Transit

    TLS 1.2+ enforced on all external connections. API endpoints, inter-service communication, and database connections are encrypted.

  • Scoped Source Code Access

    Client repositories are accessed read-only via authorized integrations. Source code is used only for the scoped engagement and is not retained beyond contract terms unless the client requests otherwise.

  • Client Isolation

    Strict organization-scoped access controls. Separate environments per client, scoped API credentials, and role-based access for dashboards and SOC tooling.

  • Access Control

    MFA required for all infrastructure access. Least-privilege IAM policies. No shared credentials. Quarterly access reviews.

  • Audit Logging

    Logging across cloud infrastructure and SOC platforms. Request-level trace IDs for application traffic. Analyst actions and case timelines retained for managed SOC engagements.

  • Incident Response

    Documented incident response plan with defined procedures for detection, containment, client notification, and post-incident review. Escalation matrices agreed before SOC go-live.

  • Transparent SOC Operations

    Managed SOC clients receive runbooks, escalation contacts, and case documentation, not opaque alert forwarding. Detection tuning and purple team findings feed back into measurable improvements.

Subprocessors

Savvy Security uses a limited set of third-party subprocessors to deliver our services. We evaluate each provider's security practices and maintain contractual data protection obligations with every subprocessor.

SubprocessorPurposeData processedLocation
Amazon Web Services (AWS)Cloud infrastructure, compute, storage, database, loggingApplication data, SOC telemetry, scan and case findings, deployment artifacts, audit logsUS / EU (region-dependent)
Microsoft (Azure / Microsoft 365)Cloud infrastructure and identity telemetry for SOC monitoringEntra ID sign-ins, M365 audit logs, Azure control-plane events, security alertsUS / EU (region-dependent)
GitHubSource control, CI/CD, and webhooksSource code (client-authorized), commit metadata, workflow logsUS
CloudflareDNS, CDN, and edge securityRequest routing metadata, static assets, WAF eventsGlobal (edge)
StripePayment processingBilling information (name, email, payment method)US
SentryError monitoringError metadata, stack traces, request contextUS
LLM API providers (engagement-specific)AI-assisted features when explicitly scoped in the statement of workPrompts and context supplied per feature, not used for model trainingUS / varies by provider

To subscribe to subprocessor change notifications, contact your Savvy Security engagement lead.

Data handling

Source Code

Customer source code is accessed read-only via authorized GitHub integrations. Code is used only for the scoped engagement (development, review, and deployment) and is not sublicensed or reused across clients. Savvy Security does not modify, fork, or retain copies of customer repositories beyond what the contract permits.

Managed SOC Telemetry

For SOC clients, we process security telemetry (endpoint, identity, cloud, network, and email signals) solely to deliver monitoring, investigation, and response services. Data stays in client-designated or contractually agreed regions and tools. We do not sell, repurpose, or use telemetry to train models.

AI & Model Training

Customer data is never used to train, fine-tune, or improve any AI models. LLM inference is performed via API calls that do not retain input data. AI-assisted workflows are opt-in per project, documented in the statement of work, and designed to minimize data sent to inference APIs.

Data Retention & Deletion

Project deliverables, account data, and SOC case records are retained for the duration of the engagement and any agreed warranty or compliance window. Upon contract termination, all customer data is deleted or returned within 30 days unless law or the client requests a different schedule. Deletion requests can be made through your engagement lead.

See also our Privacy policy, Terms, and Ownership & IP.