> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cysmiq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Trust & Security

> Cysmiq's security practices, compliance certifications, and data protection.

## Overview

Cysmiq is committed to security and compliance. This page outlines our certifications, security practices, and data protection measures.

## Compliance certifications

| Certification | Status      | Timeline           |
| ------------- | ----------- | ------------------ |
| SOC 2 Type II | In progress | Target: April 2026 |
| ISO 27001     | In progress | Target: March 2026 |

A letter of intent from our auditor partner is available on request. Contact [support@cysmiq.com](mailto:support@cysmiq.com) for details.

## Trust portal

Our trust portal (coming soon) will provide:

* Real-time compliance status
* Security documentation
* Penetration test summaries
* Subprocessor list
* Data processing agreements

## Data isolation

Cysmiq uses a multi-tenant architecture with complete data isolation between workspaces:

* **Separate databases**: each workspace has its own database
* **No data sharing**: data never crosses workspace boundaries
* **Encryption at rest**: all data encrypted using AES-256
* **Encryption in transit**: all connections use TLS 1.2+

This architecture supports strict compliance requirements for organizations handling sensitive data.

## Infrastructure security

* **Cloud hosting**: hosted on enterprise-grade cloud infrastructure
* **Access controls**: role-based access with principle of least privilege
* **Audit logging**: comprehensive logging of security-relevant events
* **Vulnerability management**: regular security scanning of our own infrastructure

## Application security

* **Secure development**: security built into our development lifecycle
* **Dependency scanning**: we use Cysmiq to scan our own dependencies
* **Code review**: all changes reviewed before deployment
* **Penetration testing**: regular third-party security assessments

## Data retention

* Vulnerability data retained while workspace is active
* Deleted workspaces are permanently removed after retention period
* Customers can request data export or deletion

## Incident response

In the event of a security incident:

1. Affected customers notified within 72 hours
2. Root cause analysis conducted
3. Remediation steps implemented
4. Post-incident report provided

## Contact

For security questions or to report a vulnerability:

* **Security team**: [security@cysmiq.com](mailto:security@cysmiq.com)
* **Support**: [support@cysmiq.com](mailto:support@cysmiq.com)

## Related docs

* [Workspaces](/concepts/workspaces): data isolation architecture
* [Self-hosting requirements](/self-hosting/requirements): for on-premise deployments
