Security First

Security Built Into Everything We Do

As a startup handling sensitive documents, we take security seriously. We're implementing enterprise-grade protections from day one, with transparency about our journey.

Security Operations Center
End-to-End Encryption AWS Infrastructure Zero Data Retention Options
Our Security Approach
Our Philosophy

Security as a Foundation, Not an Afterthought

We believe that good security practices should be embedded in everything we build from the very beginning. As a young company, we have the advantage of implementing modern security practices without legacy technical debt.

We're committed to transparency about our security posture—what we've implemented, what we're working on, and how we handle your data.

Secure by Design

Security reviews for every feature. No shortcuts, no "we'll fix it later."

Radical Transparency

We'll tell you exactly how we protect your data and what we're still building.

Continuous Improvement

Security is a journey. We're constantly learning and upgrading our protections.

Secure Development
Current Practices

How We Protect Your Data Today

These are the security measures we have actively implemented and maintain.

Data Encryption

Encryption Everywhere

All data is encrypted at rest using AES-256 and in transit via TLS 1.3. Encryption keys are managed through AWS KMS with regular rotation.

Access Control

Strict Access Controls

Role-based access control (RBAC) with principle of least privilege. Multi-factor authentication required for all internal systems.

Cloud Infrastructure

Secure Infrastructure

Hosted on AWS with VPC isolation, private subnets, security groups, and automated vulnerability scanning of all instances.

Code Security

Secure Development

All code undergoes peer review and automated security scanning. Dependencies are checked for vulnerabilities in every build.

Monitoring

Continuous Monitoring

24/7 automated monitoring for anomalies, with alerting through PagerDuty. Log retention for 1 year with tamper-proof storage.

Data Privacy

Data Minimization

We only store what's necessary. Optional zero-retention mode where documents are processed but never stored on our servers.

Our Security Journey

Roadmap & Compliance Goals

We're building toward enterprise compliance standards. Here's where we are and where we're headed.

Infrastructure Security

Implemented

AWS infrastructure with VPC isolation, encryption at rest and in transit, automated backups, and MFA for all access.

Application Security Program

Active

Secure development lifecycle, automated vulnerability scanning, dependency checking, and peer code reviews.

SOC 2 Type I Preparation

In Progress

Currently documenting controls and preparing for our first SOC 2 Type I audit. Expected completion Q2 2026.

Penetration Testing

Planned Q2 2026

First third-party penetration test by an accredited security firm to validate our security posture.

SOC 2 Type II

Target Q4 2026

Full SOC 2 Type II certification demonstrating sustained security practices over a 6-month observation period.

ISO 27001 Certification

Target 2027

International information security management certification for global enterprise customers.

Transparency

What We Share & How We Handle Data

We believe you deserve to know exactly how we handle your information.

Available Documentation

We provide detailed information about our security practices to prospective customers.

  • Security Whitepaper
  • Data Processing Agreement
  • Infrastructure Diagram
  • Security Questionnaire Responses

Data Handling

Clear policies on what we collect, how long we keep it, and when we delete it.

  • 30-day default retention (configurable)
  • Immediate deletion on request
  • No training on customer data
  • No third-party sharing

Internal Access

Strict limits on who at Ciryana can access customer data and under what circumstances.

  • No routine access to production data
  • Access only for support with consent
  • All access logged and audited
  • Background checks on all employees

Incident Response

Our plan for handling security incidents quickly and transparently.

  • 24-hour internal response time
  • 72-hour customer notification
  • Public status page for outages
  • Post-incident reports shared

Questions About Security?

We'd love to discuss our security practices with you. Reach out for our security whitepaper or to schedule a call with our team.

Email Us

General security questions

security@ciryana.com

Report Issue

Vulnerability disclosure

security@ciryana.com

Documentation

Request whitepaper

Request Access