Compliance Certifications

Admin undergoes regular third-party audits to verify our security controls and compliance posture.

SOC 2 Type II Certified
Audit confirms our controls are suitably designed and operating effectively over time.
Auditor: KPMG Valid until: 2025-06
ISO 27001:2022 Certified
International standard for information security management systems (ISMS).
Registrar: BSI Valid until: 2026-03
GDPR Compliant
General Data Protection Regulation compliance for European Union data subjects.
Data Processor DPA Available
CCPA / CPRA Compliant
California Consumer Privacy Act compliance for California residents.
Consumer Rights Opt-out Available
HIPAA In Progress
Health Insurance Portability and Accountability Act. HIPAA-compliant plans available Q1 2025.
BAA Request Contact Sales
CMMC Level 2 In Progress
Cybersecurity Maturity Model Certification for U.S. Department of Defense contractors.
Target: 2025 Defense Ready
Request a Report: You can download our latest SOC 2 Type II report, penetration test summary, or Data Processing Agreement by contacting our security team or logging in to your admin dashboard under Settings > Compliance.

Security Architecture

Our platform is engineered with a zero-trust architecture, ensuring data protection at every layer.

🔐

Encryption in Transit & Rest

All data is encrypted using TLS 1.3 in transit and AES-256 encryption at rest. We use HSM-backed key management for secure key rotation.

🛡️

DDoS & WAF Protection

Cloudflare enterprise-grade Web Application Firewall and DDoS mitigation protect our infrastructure from volumetric attacks.

🔑

Multi-Factor Authentication

MFA is enforced for all administrative actions. We support TOTP, hardware keys (FIDO2/WebAuthn), and SMS-based verification.

👥

Role-Based Access Control

Granular RBAC and ABAC policies allow organizations to enforce least-privilege access controls across the platform.

📋

Audit Logging

Immutable audit logs capture all user and system actions. Logs are retained for 365 days and available for SIEM integration.

🌐

Global Infrastructure

Multi-region deployment across AWS, GCP, and Azure with automated failover ensures 99.99% availability and data residency options.

Data Privacy & Handling

Data Ownership

Customers retain full ownership of all data submitted to Admin. We never sell, share, or monetize your data. Our privacy practices are designed to give you complete control over your information.

Data Processing

  • Minimization: We only collect data necessary to provide our services.
  • Purposes: Data is processed for service delivery, security, compliance, and—with consent—improvement.
  • Retention: Data is retained for the duration of your subscription plus a 30-day grace period. Deletion requests are processed within 30 days.

Data Residency

Admin supports data residency requirements. Enterprise customers can select specific geographic regions (US, EU, APAC) where their data is stored and processed. Data is never transferred across regions without explicit consent.

Subprocessors

We use trusted third-party subprocessors for infrastructure (AWS, GCP), monitoring (Datadog), and communications (SendGrid). You can view our full list of subprocessors and their data handling agreements in the Admin Portal under Compliance > Subprocessors.

Vulnerability Disclosure Program

Responsible Disclosure

We value the contributions of security researchers and welcome responsible disclosure of vulnerabilities. If you believe you've found a security issue in Admin, please report it through our secure channels.

  • 1
    Report Send details to security@admin.com or use our bug bounty platform.
  • 2
    Acknowledge We will acknowledge receipt within 24 hours and provide a tracking ID.
  • 3
    Remediate Our security team will investigate, reproduce, and fix the issue.
  • 4
    Resolve You'll be notified when the issue is resolved. We credit researchers in our public log.

Out of Scope: Social engineering, physical security, third-party services, and DoS attacks are currently out of scope for our bug bounty program.

Security Contact

✉️ security@admin.com
🔑 PGP Key Available
🛡️ Bug Bounty Platform
📅 Response Time: < 24hrs

Frequently Asked Questions

By default, data is stored in our primary regions (US East and EU West). Enterprise customers can select specific data residency regions during onboarding. You can verify your data location in the Admin Portal under Settings > Region.

Yes. You can export your data at any time in standard formats (JSON, CSV, XML) through the Admin Portal. We also provide API access for programmatic data retrieval. Upon account closure, a final export is available for 30 days.

Admin is PCI-DSS compliant for payment processing. However, we use tokenization and our payment processor (Stripe) handles all sensitive card data. Admin never stores raw credit card numbers on our servers.

Data is retained for 30 days after account cancellation to allow for recovery. After this period, all data is permanently deleted from our systems and backups. You can request immediate deletion by contacting support.

Yes. SOC 2 Type II reports are available to verified customers. Log in to your Admin Portal and navigate to Settings > Compliance > Download Reports. Alternatively, contact compliance@admin.com with your account details.