ISO 27001
In progress
ISO 27001 certification in progress. Information Security Management System aligned with the international standard.
Built for the customers who can't afford to get this wrong.
Deepinfo serves defense, finance, government, and other sectors where vendor security failures aren't an option. Our own security posture, certifications, sub-processors, and data handling practices are documented here. Anything you need that isn't on this page is one email away.
CERTIFICATIONS
Audited, aligned, verifiable.
Deepinfo aligns to the standards that enterprise security teams expect. Where formal certification applies, we hold it. Where alignment is to a framework rather than a certification, we say so plainly.
ISO 27017
In progress
ISO 27017 in progress. Cloud security controls extension to ISO 27001.
ISO 27018
In progress
ISO 27018 in progress. Personal data protection in public clouds.
SOC 2 Type II
In progress
SOC 2 Type II audit in progress. Annual audit of controls for security, availability, and confidentiality.
GDPR
Compliant
GDPR compliant. EU personal data protection. Data subject rights honored; privacy program operated to GDPR standards.
KVKK
Compliant
KVKK compliant. Türkiye personal data protection law, with a documented DPO function.
HIPAA
In progress
HIPAA-alignment work underway. Controls being scoped against the HIPAA security and privacy rules.
PCI DSS
In progress
PCI DSS work in progress. Controls being scoped for handling payment-card-adjacent data flows.
Attestation letters and reports available on request to [email protected].
SECURITY DISCLOSURES
If you've found a security issue with our infrastructure, tell us.
We welcome security researcher findings on Deepinfo's external infrastructure, the platform, and our public-facing services. We commit to acknowledge reports promptly, work in good faith on validation and resolution, and credit researchers in disclosed advisories where appropriate.
Email: [email protected]
PGP key: Available at [email protected] (request via initial outreach if needed for sensitive disclosures).
Coordinated disclosure timeline: We aim to acknowledge reports within 2 business days, validate within 7 business days for routine findings, and coordinate disclosure timelines with the researcher. Standard expectation is 90 days from acknowledgment to public disclosure for routine findings; critical findings may warrant accelerated handling.
Out of scope: Customer environments and customer-discovered findings are out of scope for this disclosure surface. Issues with customer environments should be reported through the customer's own security team.
OUR APPROACH
How we think about security.
-
01
We dogfood our own platform.
Deepinfo's external attack surface is monitored continuously by Deepinfo. Every alert that hits a customer also hits us.
-
02
Least privilege by default.
Customer data access is need-to-know and access-logged. Engineers don't have ambient production access; access is brokered through audit-trailed mechanisms.
-
03
Encryption everywhere.
TLS in transit (modern ciphers, no legacy). AES-256 at rest. Customer-controlled encryption keys for tenants that require it.
-
04
Continuous security testing.
External penetration testing annually. Internal continuous testing of new and changed code.
SUB-PROCESSORS
Who we entrust with your data.
Deepinfo uses a small set of vetted sub-processors for hosting, monitoring, and supporting infrastructure. Each is contractually obligated to handle customer data to the same standards we hold internally. The current sub-processor list is reviewed annually.
Sub-processor
Purpose
Region
Google Cloud Platform
Primary cloud infrastructure (compute, storage, networking)
US, EU, Qatar
Amazon Web Services
Secondary cloud infrastructure
US, Türkiye
Intercom
Customer support and lead capture
US
SendGrid
Transactional email delivery
US
Cloudflare
Website hosting, CDN, DNS, and edge functions for form processing
US (global edge)
New sub-processors are subject to review. Customers can subscribe to sub-processor change notifications by emailing [email protected].
DATA HANDLING
What we store, for how long.
WHAT WE STORE
Customer-defined assets and the data we discover monitoring them. Configuration, user accounts, audit logs, integrations metadata. We do not store customer-uploaded sensitive PII unless explicitly part of a customer's monitoring scope (e.g., breached credentials they want monitored).
WHERE IT'S STORED
Customer data is primarily stored in US-based infrastructure. EU-based infrastructure is available on request for EU customers, with additional regional capacity in Türkiye and Qatar for region-specific deployments.
FOR HOW LONG
Active customer data is retained for the life of the contract plus 30 days post-termination for export. Audit logs retained per regulatory requirement (typically 12 months). Backups retained 90 days. Full deletion on request.
REQUEST OUR SECURITY PACK
Have a specific security question?
SOC 2 Type II report, ISO 27001 certificate, sub-processor list, security questionnaire (CAIQ / SIG / VSA, pick your format), and any other documentation your team needs is available on request. Most are sent under NDA within one business day.