Security &
Compliance.
Your data runs inside your own Google Cloud project. We govern the perimeter — you hold the keys. This page documents our security posture, compliance trajectory, and incident response commitments.
Compliance Roadmap
Certifications & Frameworks
SOC 2 Type II
Formal SOC 2 Type II engagement is underway. We are targeting attestation by Q3 2026. Our internal controls already align with Trust Services Criteria for Security, Availability, and Confidentiality.
HIPAA-Ready
Our deployment architecture supports HIPAA technical safeguards: encryption at rest and in transit, audit logging, access controls, and BAA-eligible GCP services. BAAs executed on a per-client basis.
ISO 27001
Our information security management practices align with ISO 27001 Annex A controls. We implement risk assessments, asset inventories, and continuous improvement cycles consistent with this standard.
Data Residency
Your Data.
Your Region.
Every client selects their GCP region at deployment time. Your databases, backups, AI training data, and application state live exclusively within that region. Data never leaves your project boundary without explicit configuration.
Full GCP region catalog available on request
Supply Chain Transparency
Subprocessor Registry
We maintain a minimal, auditable set of subprocessors. Each is listed with its function and the categories of data it may access.
| Subprocessor | Function | Data Accessed | Location |
|---|---|---|---|
| Google Cloud Platform | Infrastructure hosting, compute, storage, AI/ML services | All client application data (within client's project) | Client-selected region |
| Frappe Technologies | Open-source ERP framework (ERPNext) | None — open-source, self-hosted; no data transmitted to Frappe | N/A (Self-hosted) |
| Cloudflare | DNS, DDoS protection, CDN for static marketing assets | Traffic metadata (IP, headers) for marketing site only | Global edge |
| Google Workspace | Internal team communication and project coordination | Internal correspondence; no client production data | US |
Last updated: April 2026 · Changes notified to active clients within 30 days
Cryptographic Posture
Encryption Architecture
CMEK Encryption
All data at rest is encrypted using Customer-Managed Encryption Keys (CMEK) via Google Cloud KMS. You control the key hierarchy; we never hold plaintext access to your data stores.
TLS 1.3
All data in transit is encrypted with TLS 1.3. Internal service-to-service communication within GCP uses Google's Application Layer Transport Security (ALTS).
Automated Rotation
KMS keys are configured with automatic rotation on a 90-day cycle. Clients may configure custom rotation schedules or trigger manual rotation at their discretion.
Encrypted Snapshots
Database backups and disk snapshots inherit the CMEK encryption of their source volumes. Backup retention policies are configurable per-client.
Response Protocol
Incident Response
Our incident response process is modeled on NIST SP 800-61. All security events are triaged by severity with defined escalation paths and client notification timelines.
Critical / Data Breach
Client notification within 24 hours. Immediate containment. Post-incident report within 72 hours.
High / Service Disruption
Client notification within 48 hours. Root cause analysis within 5 business days.
Informational
Included in next scheduled security report. No immediate client action required.
Disclosure
Vulnerability
Reporting.
If you've identified a security vulnerability in any Infinary-managed system or our public infrastructure, we encourage responsible disclosure. We do not pursue legal action against good-faith security researchers.
Questions About
Our Security Posture?
We're happy to discuss our security architecture in detail. Request our full security questionnaire response or schedule a call with our engineering team.
Contact Engineering