Security

Security posture, plainly stated.

Certifications, encryption practices, sub-processor table, and how to reach us if you find a vulnerability. No marketing language — the actual state.

// certifications and attestations

Where we stand today.

soc 2 type i

SOC 2 Type I

Readiness assessment · target Q3 2026

Controls designed and documented. Readiness assessment with external auditor in progress.

soc 2 type ii

SOC 2 Type II

Audit period · Q4 2026

12-month audit period begins Q4 2026. Report shared under NDA with $100K+ ACV customers.

iso 27001

ISO 27001

Roadmap · 2027

ISMS scoping underway. Certification target is Q2 2027 following SOC 2 Type II completion.

Encryption

LayerWhatDetail
Data in transitTLS 1.3All API endpoints. TLS 1.2 min for compatibility. TLS 1.0/1.1 rejected.
Data at restAES-256-GCMBlock storage and object storage encrypted at rest. Key rotation annual.
Customer-managed keysCMEK via KMSAvailable on Dedicated Deployments. Bring your own AWS KMS or GCP KMS key ARN.
SecretsVault + envelope encryptionAPI keys, tokens, and credentials managed in HashiCorp Vault. Dynamic secrets for DB access.

Sub-processor table

All sub-processors handling customer data. We notify customers 30 days before adding a new sub-processor. Customers with active DPAs may object within that window.

Sub-processorServiceRegionData accessed
EquinixColocation · bare-metal hostingus / eu / inInference traffic (encrypted in transit). No plaintext access.
CloudflareDDoS · CDN · DNSglobalRequest metadata (IP, headers). Payload not decrypted at edge.
AWSObject storage (S3) · secrets (KMS)us-east-1 / eu-central-1 / ap-south-1Fine-tuning datasets (encrypted). Audit log archives. KMS key operations.
StripePayment processingusBilling name, email, card metadata. No prompt or inference data.
PostmarkTransactional emailusAccount email address. Notification content (usage alerts, invoices).
ClickHouse CloudUsage analyticsus / euAggregated usage metrics. No prompt content. Tenant-isolated schema.
security contact

Security contact

Report vulnerabilities to security@clusterbid.eu. We acknowledge within 24 hours and target 90-day disclosure. We do not pay bounties currently; that changes with our SOC 2 Type II completion.