Security posture, plainly stated.
Certifications, encryption practices, sub-processor table, and how to reach us if you find a vulnerability. No marketing language — the actual state.
Where we stand today.
SOC 2 Type I
Controls designed and documented. Readiness assessment with external auditor in progress.
SOC 2 Type II
12-month audit period begins Q4 2026. Report shared under NDA with $100K+ ACV customers.
ISO 27001
ISMS scoping underway. Certification target is Q2 2027 following SOC 2 Type II completion.
Encryption
| Layer | What | Detail |
|---|---|---|
| Data in transit | TLS 1.3 | All API endpoints. TLS 1.2 min for compatibility. TLS 1.0/1.1 rejected. |
| Data at rest | AES-256-GCM | Block storage and object storage encrypted at rest. Key rotation annual. |
| Customer-managed keys | CMEK via KMS | Available on Dedicated Deployments. Bring your own AWS KMS or GCP KMS key ARN. |
| Secrets | Vault + envelope encryption | API keys, tokens, and credentials managed in HashiCorp Vault. Dynamic secrets for DB access. |
Sub-processor table
All sub-processors handling customer data. We notify customers 30 days before adding a new sub-processor. Customers with active DPAs may object within that window.
| Sub-processor | Service | Region | Data accessed |
|---|---|---|---|
| Equinix | Colocation · bare-metal hosting | us / eu / in | Inference traffic (encrypted in transit). No plaintext access. |
| Cloudflare | DDoS · CDN · DNS | global | Request metadata (IP, headers). Payload not decrypted at edge. |
| AWS | Object storage (S3) · secrets (KMS) | us-east-1 / eu-central-1 / ap-south-1 | Fine-tuning datasets (encrypted). Audit log archives. KMS key operations. |
| Stripe | Payment processing | us | Billing name, email, card metadata. No prompt or inference data. |
| Postmark | Transactional email | us | Account email address. Notification content (usage alerts, invoices). |
| ClickHouse Cloud | Usage analytics | us / eu | Aggregated usage metrics. No prompt content. Tenant-isolated schema. |
Security contact
Report vulnerabilities to security@clusterbid.eu. We acknowledge within 24 hours and target 90-day disclosure. We do not pay bounties currently; that changes with our SOC 2 Type II completion.