Security posture
This page describes the controls Impetora has in place today and the controls in progress. We publish what we have and what we do not. Where we are working toward a certification, we say so rather than implying ownership.
1. Encryption
- TLS 1.3 enforced on every public endpoint, with HSTS preload eligible
- AES-256 at rest for the application database (Supabase managed encryption) and storage buckets
- Internal credentials managed in a 1Password vault with hardware-key two-factor authentication
2. EU data residency
Application database and primary storage live in the Frankfurt EU region. Website hosting is delivered from EU edge regions. Email infrastructure runs on Google Workspace under EU Standard Contractual Clauses where US-based components are involved. We do not move customer data outside the EEA without explicit instruction.
3. Access controls
- Single sign-on via Google Workspace for all internal tools where supported
- Mandatory two-factor authentication on every account that touches client data
- Least-privilege access and just-in-time elevation for production systems
- Quarterly access review with revocation of dormant accounts
4. Incident response
We commit to a 24-hour notification window from confirmed incident to written notice for clients whose data is affected. Notice includes the nature of the incident, categories of data affected, likely consequences, and the measures taken or proposed. Post-incident reviews are written within 14 days and shared with affected clients.
5. Compliance status
We publish current state, not aspiration:
- GDPR: live. Our policy is published, sub-processors are listed, DPA is on offer, and data subject rights are honoured within statutory deadlines.
- SOC 2 Type I: in progress. Targeted for completion in line with revenue scale that justifies the audit cost.
- ISO 27001: planned. We are implementing the control set and will certify when the company size justifies it.
- ISO 42001 (AI management): control set in implementation. Used as our internal AI governance baseline today.
- EU AI Act: actively tracking. We classify every system we ship against the risk tiers and keep the conformity documentation that the regulation requires for high-risk systems.
- HIPAA: not currently offered. We can scope BAA-equivalent arrangements case by case.
6. Sub-processors
| Sub-processor | Purpose | Region | Vendor posture |
|---|---|---|---|
| Vercel Inc. | Website hosting and edge delivery | EU edge regions | SOC 2 Type II, ISO 27001 |
| Supabase | Postgres database for intake submissions | EU (Frankfurt) | SOC 2 Type II, HIPAA-eligible plan available |
| Google Workspace | Email and document storage for the controller | EU multi-region | ISO 27001, ISO 27017, ISO 27018, SOC 2/3 |
| Resend | Transactional email delivery | EU | SOC 2 Type II in progress |
| Cloudflare | DNS and edge security (when enabled) | Global anycast, EU-prioritised routing | SOC 2 Type II, ISO 27001 |
7. Penetration testing
A formal annual third-party penetration test is planned once recurring revenue justifies the cost. In the interim we run automated dependency scanning on every push, weekly OWASP ZAP runs against staging, and an internal review checklist before any production change.
8. Vulnerability disclosure
If you believe you have found a security issue, email justas@ainora.lt with the subject line "Security disclosure". We acknowledge within 48 hours and provide a remediation timeline within 7 days for confirmed issues. We do not yet operate a paid bug-bounty programme, but we credit researchers in writing where appropriate.
9. Business continuity
The application database is backed up daily with point-in-time recovery for 7 days. Code is version-controlled in GitHub with replicated mirrors. Email and document storage rely on Google Workspace continuity. We test restore procedures quarterly.
10. Contact
For security questions or to request our most recent posture document: justas@ainora.lt.