Security
Last Updated: March 24, 2026
Security is foundational to how we build and operate Sigma5C. This page describes the security practices, controls, and compliance posture that protect our platform, your data, and the integrity of our services.
Report a vulnerability: If you discover a security issue, please contact security@sigma5c.com. We take all reports seriously and will respond within 48 hours.
1. Infrastructure Security
Network Architecture
- All public-facing services are served over HTTPS with TLS 1.2+ enforcement
- Internal cluster communication is encrypted via VPN overlay networks
- Database and cache services are bound to localhost or private networks only; they are not accessible from the public internet
- Web application firewall (ModSecurity with OWASP Core Rule Set) protects public endpoints
- Security headers enforced: HSTS, X-Content-Type-Options, X-Frame-Options, Content-Security-Policy, Referrer-Policy
Server Hardening
- Firewall rules restrict access to authorized ports and services only
- SSH access requires key-based authentication; password authentication is disabled
- Operating systems and dependencies receive regular security updates
- No services run with root privileges unless strictly required
2. Authentication and Access Control
User Authentication
- Passwords hashed with Argon2id (memory-hard, side-channel resistant)
- Two-factor authentication (TOTP-based 2FA) available for all accounts
- Progressive account lockout after failed login attempts
- Session tokens are cryptographically random (256-bit entropy)
API Key Security
- API keys are hashed using HMAC-SHA256 before storage; plaintext keys are never persisted
- Keys can be rotated or revoked instantly through the dashboard
- Per-key rate limiting and usage tracking
- Keys are scoped to specific permission levels
Role-Based Access Control (RBAC)
Access to platform features and administrative functions is controlled through defined roles:
| Role | Scope |
|---|---|
| User | Own account, own data, own API keys |
| Content Admin | CMS and content management |
| Customer Admin | Organization member management |
| Super Admin | Full platform administration |
All role assignments and changes are recorded in an immutable audit log.
3. Data Protection
Encryption
| Layer | Method |
|---|---|
| Data in transit | TLS 1.2+ (HTTPS enforced for all connections) |
| Data at rest | Encrypted storage volumes |
| Passwords | Argon2id hashing (not reversible) |
| API keys | HMAC-SHA256 (not reversible) |
| Session tokens | 256-bit cryptographic random generation |
Secrets Management
- Production secrets (database credentials, API keys, signing keys) are managed through HashiCorp Vault with AppRole authentication
- Secrets are not stored in source code or version control; environment variables are used only for Vault bootstrap configuration
- Vault operates in a high-availability cluster configuration with automatic failover
- Access to secrets is scoped by service and role; no service has access to secrets it does not need
AI Data Handling
We do not train AI models on your data. Customer prompts and data submitted to AI features are processed transiently to generate responses. They are not stored for training purposes and are not shared with AI model providers for their training. See our Privacy Policy for retention details.
4. Application Security
- Input validation: All user inputs are validated and sanitized server-side using Pydantic v2 schemas
- SQL injection prevention: Parameterized queries are used for all database operations; no raw SQL with user input
- CSRF protection: Cross-site request forgery tokens are required for all state-changing operations
- XSS prevention: Content Security Policy headers and output encoding prevent cross-site scripting
- Rate limiting: Applied at the API gateway level to prevent abuse and denial-of-service
- Dependency scanning: Automated checks for known vulnerabilities in dependencies via CI pipeline
- Code review: All code changes undergo review before deployment
5. Monitoring and Incident Response
- Audit logging: Administrative actions, authentication events, data access, and security-relevant events are logged with timestamps, actor identity, and action details
- Health monitoring: Automated health checks run at 30-second intervals across all services
- Alerting: Anomaly detection triggers alerts for unusual authentication patterns, elevated error rates, or infrastructure issues
- Incident response: Defined procedures for identification, containment, eradication, recovery, and post-incident review
- Breach notification: In the event of a data breach involving Personal Information, affected users and relevant authorities will be notified within the timeframes required by applicable law (72 hours under GDPR)
6. Compliance and Certifications
Current Compliance Posture
| Framework | Status |
|---|---|
| SOC 2 Type II | Controls implemented (CC6 Logical Access fully mapped); formal audit planned |
| GDPR | Compliant: data subject rights (export, deletion), consent audit trail, DPAs with primary processors |
| CCPA / US State Privacy | Compliant: we do not sell personal information; deletion rights supported |
| PCI DSS | Payment processing delegated to Stripe (PCI Level 1 certified); no credit card data touches our servers |
Data Processing Agreements
We maintain executed DPAs with our primary data processors:
- Stripe: Payment processing (DPA executed November 2025)
- Brevo: Email services (DPA via Terms of Service Appendix 3)
- Microsoft 365: Email infrastructure (DPA via M365 subscription)
A complete list of sub-processors and their compliance status is available on our Third-Party Providers page.
7. Business Continuity
- Backups: Automated daily backups retained for 30 days on a rolling basis
- Redundancy: Multi-server infrastructure with failover capability
- Disaster recovery: Documented recovery procedures with defined recovery time and recovery point objectives
8. Security Practices for Customers
We recommend the following practices for your account security:
- Enable two-factor authentication (2FA) on your account
- Use strong, unique passwords and rotate them periodically
- Keep API keys confidential; never commit them to source code repositories
- Rotate API keys regularly, especially after team member departures
- Monitor your API usage dashboard for unexpected activity
- Use the minimum permission level required for each API key
9. Enterprise Security
Enterprise customers may require additional security assurances. We support:
- Custom security questionnaire responses
- Security architecture documentation
- Custom SLA agreements with uptime guarantees
- Dedicated infrastructure options for data isolation
- On-premises deployment options (data never leaves your infrastructure)
For enterprise security inquiries, contact security@sigma5c.com.
10. Contact
Security Team: security@sigma5c.com
Privacy Team: privacy@sigma5c.com
General Inquiries: info@sigma5c.com