Home Security & Compliance

Security & Compliance

Transparent, enterprise-grade security practices. We protect your data, ensure regulatory compliance, and maintain operational resilience through continuous monitoring and industry-leading standards.

Security Architecture

Our infrastructure is built on defense-in-depth principles, combining modern encryption, strict access controls, and continuous threat monitoring.

🔐

End-to-End Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Customer-managed keys (CMK) are supported for sensitive workloads.

🛡️

Zero-Trust Access

Strict identity verification, role-based access control (RBAC), and multi-factor authentication (MFA) enforced across all administrative and user interfaces.

🔍

Continuous Monitoring

24/7 security operations center (SOC) with automated threat detection, anomaly alerting, and real-time log aggregation across all services.

🌐

Network Isolation

Segmented VPCs, private endpoints, and web application firewalls (WAF) protect against unauthorized access and DDoS attacks.

Certifications & Compliance

We maintain rigorous compliance postures to meet regulatory requirements and customer trust obligations worldwide.

Audited & Active

SOC 2 Type II

Annual third-party audits covering security, availability, and confidentiality controls.

Certified

ISO 27001:2022

Internationally recognized information security management system (ISMS) certification.

Compliant

GDPR & CCPA

Full data privacy compliance for EU and California residents, including DPA support and right-to-erasure.

In Progress

HIPAA Ready

Technical safeguards and BAA execution available for healthcare clients (Q3 2025 target).

Supported

PCI DSS Level 1

Secure payment processing infrastructure with tokenization and isolated transaction environments.

Aligned

NIST CSF 2.0

Framework-aligned risk management, governance, and continuous monitoring practices.

📄 View our latest audit reports and compliance documentation in the customer portal or contact security@divisions.io.

Data Handling & Privacy

Clear, accountable data lifecycle management. You own your data. We protect it.

d
Data Category Retention Period Deletion Process Cross-Border Transfer
Application Data Active until account deletion Immediate soft delete + 30-day hard purge Optional region locking (US/EU/APAC)
Logs & Analytics90 days (standard), 365 days (enterprise) Automated expiration, manual override available Pseudonymized, GDPR-compliant processors
Backup Snapshots Configurable (7–30 days) Cascading deletion across all replication zones Encrypted in transit, stored in customer-selected region
Support Tickets 24 months On request or policy expiration Handled by EU/US-based support teams only

Incident Response & Transparency

When security events occur, we act fast, communicate clearly, and continuously improve.

1. Detection & Triage

Automated alerts trigger within seconds. Our SOC validates severity and classifies the incident type (availability, integrity, confidentiality).

2. Containment & Mitigation

Immediate isolation of affected components, traffic rerouting, and credential rotation to prevent lateral movement or data exfiltration.

3. Investigation & Resolution

Forensic analysis of logs, system state, and network traffic. Root cause identification and permanent remediation deployment.

4. Notification & Post-Mortem

Customers affected by security incidents are notified within 24 hours. A transparent post-incident report is published within 72 hours.

🔔 Subscribe to our status page or security mailing list for real-time updates.

Security FAQ

Common questions from our enterprise and compliance teams.

Yes. Enterprise plans include full CMEK support via AWS KMS, Azure Key Vault, or HashiCorp Vault. You retain full control over key lifecycle, rotation, and access policies.
We undergo annual SOC 2 Type II and ISO 27001 audits by accredited third-party firms. Penetration testing is conducted quarterly by independent cybersecurity specialists.
Absolutely. Our multi-region architecture supports strict data residency controls. You can lock your tenant to US, EU, or APAC regions, with no cross-border replication unless explicitly configured.
Critical security incidents (P1) trigger an immediate response with initial containment within 1 hour. Enterprise customers receive dedicated incident commander access and hourly status updates until resolution.
Yes. We provide standard GDPR/CCPA Data Processing Addendums and HIPAA Business Associate Agreements upon request. Legal and compliance documents are available in the vendor portal.