Security Portal
Security reports, compliance artifacts, and policy documentation. Everything you need to evaluate Abundera's security posture.
Independent Validation
Third-party verification and independent security assessments.
Independent Pentest Report
CREST-accredited third-party penetration test. Human-led testing with full remediation report. Vendor selected, engagement planned Q2 2026.
View roadmap →SOC 2 Type I Report
Independent audit of security controls against AICPA Trust Services Criteria. Available upon request when completed.
View roadmap →Bug Bounty Program
Private managed bug bounty program for ongoing independent vulnerability discovery by security researchers.
View roadmap →Security Testing Certificate
Continuous security verification enforced on every deployment: penetration testing, static audit, unit tests, and weekly OWASP ZAP DAST scans. Operational metrics included.
View certificate →Management Assertion (Bridge Letter)
AICPA-format management representation covering control design and operating effectiveness for the period prior to SOC 2 Type I audit. Includes control-to-evidence index mapped to Trust Services Criteria.
Request assertion →Cryptographic Data Protection
Encryption architecture, key management, and data deletion procedures.
Cryptographic Architecture
AES-GCM 256-bit encryption, SHA-256 hashing, EdDSA (Ed25519) JWT signing, HKDF per-user key derivation, hash-chained audit logs. Platform-native Web Crypto API with zero third-party crypto libraries.
View architecture →Security Whitepaper
Comprehensive overview of Abundera's security architecture, authentication system, data protection, and compliance posture. 20+ pages.
Download PDF →Data Retention & Deletion
Retention schedules for all data categories, cryptographic deletion procedures, and regulatory basis for retention periods.
Request details →NIST SP 800-63 AAL Mapping
Formal mapping of Abundera's authentication architecture to NIST SP 800-63B Authenticator Assurance Levels. Per-tier AAL analysis with honest caveats on attestation status.
Request mapping →Operational Governance
Access control, vendor management, and operational security procedures.
Access Control & Insider Risk
Production access model, quarterly access reviews across 8 systems, token scoping, and scaling plan for team growth.
View details →Vendor Risk Management
6 sub-processors with SOC 2 Type II certifications, 8-point evaluation criteria, annual review cadence, and data flow transparency.
View details →Incident Response Plan
P1-P4 severity classification, escalation procedures, notification timelines, and recovery playbooks. Full plan available under NDA.
Request full plan →Advisory Board
Independent oversight: Infrastructure & Architecture Advisor (Jeff Moyer, Barbarians, Inc.) for cloud posture review. Fractional CISO engagement planned for SOC 2 readiness and ongoing security strategy.
Request details →Business Continuity Plan
RPO 1 hour, RTO 2 hours for critical services. Recovery procedures, backup strategy, and drill schedule for all data stores. Tabletop exercises conducted semi-annually.
Request details →On-Call Coverage Schedule
Coverage hours, on-call rotation, response SLAs by severity and time period. Automated 24/7 protection with alert-driven human response.
Request details →Secure Infrastructure
Platform security, compliance status, and infrastructure hardening.
Compliance Status
Detailed assessments for 10 regulatory frameworks: MVSP, GLBA, GDPR, CCPA, HIPAA, PCI DSS, E-SIGN, DORA, EU AI Act, SOC 2.
View compliance →WISP (Written Information Security Program)
Information security program aligned to GLBA Safeguards Rule (16 CFR 314). Covers risk assessment, access controls, and incident response.
Request details →DPIA (Data Protection Impact Assessment)
GDPR-aligned assessment of data processing activities, risk analysis, and mitigation measures.
Request details →Transparency & Accountability
Public reporting, disclosure policies, and data processing agreements.
Transparency Report
Security incidents, VDP submissions, data requests, security testing history, and dated security roadmap. Updated regularly.
View report →Vulnerability Disclosure Policy
How to report security vulnerabilities, scope, guidelines, severity-based response SLAs, and safe harbor terms.
View policy →Data Processing Agreement
Standard contractual clauses, sub-processor list, data handling obligations, and breach notification procedures.
View DPA →Quarterly Security Report
Formal quarterly security metrics, control changes, risk register updates, access reviews, and vendor assessments with sign-off from Security Officer and Infrastructure Advisor.
Request template →Request Access
For SOC 2 reports, full penetration test results, vendor questionnaire responses, or detailed compliance documentation, contact our security team.
security@abundera.ai