Defense-in-depth posture for the placement.solutions API. Documented, testable, and reviewable by your security team. This page is the public summary; the full SOC 2 letter and penetration test report are available under NDA.
placement.solutions is in the observation period for SOC 2 Type I. Our auditor of record is named in the auditor cover letter, available under NDA on request to hunter@placement.solutions. We are targeting attestation in Q3 2026. SOC 2 Type II observation begins immediately on completion of Type I, with target attestation in Q1 2027.
We additionally maintain readiness against ISO 27001 control objectives and expect to enter ISO certification in Q3 2027. Our compliance roadmap is in section 11 below.
All public ingress to api.placement.solutions, app.placement.solutions, and docs.placement.solutions is served over TLS 1.2 or higher with HSTS preload. We accept only modern cipher suites with forward secrecy and reject SSLv3, TLS 1.0, and TLS 1.1. We publish a Strict-Transport-Security header with includeSubDomains and preload directives and we are listed in the HSTS preload list.
Customer Data, account data, and audit logs are encrypted at rest using AES-256. Database-level encryption is provided by our managed Postgres (Neon) and managed Redis (Upstash) subprocessors. Backups are encrypted with separately managed keys.
Communication between the API gateway and the engine, between the engine and worker pools, and between application services and the data tier is mutually authenticated with mTLS. Internal certificates are issued from a private PKI with short rotation lifetimes.
API keys are issued per environment (live, test) and per Authorized User. Keys carry a non-secret prefix that identifies the environment, the tier scope, and the issuing organization, plus a high-entropy secret. Secret rotation is one-click in the dashboard. Keys may be scoped to specific endpoints and to specific source IP ranges (IP allowlisting) on Real-Time, Bulk, and Enterprise tiers.
Dashboard sessions require multi-factor authentication for any account with billing or admin role. SAML SSO is available on Enterprise tier with support for Okta, Azure AD, Google Workspace, and any SAML 2.0 IdP.
All employee access to production systems requires hardware-key-backed multi-factor authentication. Production access is granted least-privilege through role-based access control (RBAC) with five defined roles: owner, admin, developer, billing, viewer. Production write access is restricted to a small named group. Just-in-time elevation is logged.
We log every privileged or security-relevant action, including:
Audit logs are written to an append-only store and are visible to Customer's owner and admin roles in the dashboard. Logs are retained for thirteen (13) months. Enterprise customers may export logs to their SIEM via syslog, CEF, or webhook.
Daily encrypted backups are taken of the application database with point-in-time recovery (PITR) inside a thirty-five (35) day window. Backups are stored in a region separate from the primary write region and are encrypted with separately managed keys.
We run a documented restore drill quarterly. Each drill restores a recent backup into an isolated environment, validates record counts and schema integrity against production, and produces a written attestation that is filed with our compliance evidence. Drill cadence and pass/fail history are available under NDA.
Recovery objectives: RPO 24 hours (daily backup) with PITR to 5-minute granularity inside the 35-day window; RTO 4 hours for a region-affecting incident.
We maintain a written incident response plan with defined severity levels, on-call rotations, and escalation paths. For confirmed security incidents that affect Customer Data:
We engage an external penetration testing firm of Cobalt-class quality at least annually for a full-scope assessment of the production environment, the API surface, and the dashboard. Findings are tracked to remediation with target SLAs based on severity (critical: 7 days, high: 30 days, medium: 90 days, low: 180 days). A redacted summary of the most recent test is available under NDA on request.
Continuous security testing runs in our CI pipeline:
We maintain a documented inventory of all systems that process Personal Data, the categories of data each handles, the lawful bases for processing, and the retention period. The inventory is reviewed at least quarterly and on every material architectural change.
We do not train models on customer queries or returned data. Our index pipelines (entity resolution, deduplication, taxonomy classification) are trained on data we collect, license, or generate ourselves, and customer requests are not exposed to those training pipelines. See Privacy Policy §10 for the full disclosure.
All production Personal Data is stored and processed in the continental United States. International transfer mechanisms (SCCs, IDTA) are described in DPA §8.
We maintain a vendor inventory in a leading GRC platform, with a documented vendor risk assessment for every Sub-Processor with access to Customer Data. New vendors are reviewed by our security and legal functions before procurement. The current Sub-Processor list is published at subprocessors.html.
We accept good-faith vulnerability reports through hunter@placement.solutions with PGP-encrypted submission supported. Reports include sufficient detail to reproduce the issue. We commit to acknowledging within seventy-two (72) hours, providing an initial triage decision within seven (7) days, and remediating critical issues within thirty (30) days.
Our managed bug bounty program launches in Q3 2026 on HackerOne with a published scope, payout tiers, hall of fame, and safe-harbor language for good-faith research. Until launch, we honor a safe-harbor commitment to researchers who follow our coordinated disclosure policy: we will not pursue legal action against good-faith research that respects user privacy, avoids degradation of the Service, and refrains from public disclosure until we have remediated.
| Milestone | Target | Status |
|---|---|---|
| SOC 2 Type I attestation | Q3 2026 | In observation |
| SOC 2 Type II attestation | Q1 2027 | Observation begins on Type I sign-off |
| ISO 27001 certification | Q3 2027 | Gap assessment complete; control framework mapped |
| HIPAA BAA (Enterprise tier only) | Available now | BAA signed with each Enterprise customer who requires it |
| GDPR / UK GDPR / CCPA | In effect today | See DPA |
| Bug bounty launch (HackerOne) | Q3 2026 | Vulnerability disclosure honored today via security@ |
The full SOC 2 Type I observation letter, the most recent external penetration test executive summary, our incident response plan, our business continuity plan, and our vendor risk register are all available to qualified prospective and active customers under a mutual NDA. Request via email to hunter@placement.solutions; we respond within two (2) business days with the NDA and an evidence link.
Compliance, audits, and security questionnaires.
hunter@placement.solutions
Vulnerability disclosure and security research.
hunter@placement.solutions
Privacy rights requests.
hunter@placement.solutions