Trust Center

The record is the evidence. So is how we protect it.

Your inspection history is a defensible record. We hold it to the same standard: controls mapped to the SOC 2 Trust Services Criteria, data that stays where you put it, and access scoped to the job.

  • Encrypted in transit and at rest
  • Tenant isolation at the query layer
  • Append-only audit trail

Compliance status

Where our attestations stand, stated plainly.

We publish status, not claims. A framework is marked attested only when the report or certificate is in hand.

SOC 2 Type II

Security, Availability, Confidentiality

In progress

Independent examination of our controls over a continuous observation window.

5Trust Services CriteriaMapped to design
3Operational controlsIsolation / RBAC / audit

SOC 2 Trust Services Criteria

Five criteria. Mapped to how the platform actually works.

The criteria an independent auditor examines, and the design choice in intelliSPEC that answers each one.

01 / 05

Common Criteria

Security

Tenant data is isolated at the query layer, secrets live in a managed vault (never in code), and every build runs SAST and DAST in CI before it ships.

02 / 05

A-series

Availability

Offline-first by architecture: the field app keeps working without a network and syncs on reconnect, so an outage upstream never stops the inspection.

03 / 05

C-series

Confidentiality

Data is encrypted in transit and at rest. Access is scoped by role and segregation-of-duties, so people see only the records their job requires.

04 / 05

P-series

Privacy

We collect what the work requires and no more. Personal data is scoped by role, so people see only the records their job requires.

05 / 05

PI-series

Processing integrity

Every calculation cites the standard it was run to, and exports the path it took, so a result is checkable, repeatable, and defensible later.

Operational controls

Isolation, access, and a record that remembers.

The day-to-day controls that keep tenants separated, access scoped to the right people, and every change provable after the fact.

Tenant isolation

One tenant cannot read or reach another tenant's records. Isolation is enforced where the data is queried, not bolted on above it.

  • Multi-tenant isolation, enforced at the query layer
  • Managed key vault, no secrets in code
  • Static and dynamic security testing in every CI build

RBAC and least privilege

Access is granted by role, enforced by segregation-of-duties, and reviewed. People get the narrowest access their job needs.

  • Role-based access control across the platform
  • Segregation-of-duties rules on sensitive actions
  • Least-privilege defaults, access reviewed on a schedule

Audit trail and immutability

Who did what, when, and to which record: captured as an append-only history that the record assembles from, not an afterthought.

  • Append-only event history per record
  • User, timestamp, and action on every change
  • Exportable for audit as a single query

Responsible disclosure

Found something? Tell us. We will work it with you.

Security researchers are partners. Report a vulnerability in good faith and we will acknowledge it, investigate, and keep you posted through to a fix.

  • Report in good faith; give us reasonable time to remediate before any public disclosure.
  • Do not access, modify, or exfiltrate data that is not yours, and avoid privacy violations or service disruption.
  • We will not pursue good-faith research that follows this policy.

Disclosure channel

Send findings, with steps to reproduce, to our security inbox. Encrypt sensitive details if you can.

hello@intellispec.com

Security disclosures are routed through the monitored intelliSPEC contact path.

Answers

What a security team asks first.

How do you handle role-based access and segregation of duties?

Access is granted by role, defaults to least privilege, and is reviewed on a schedule. Segregation-of-duties rules gate sensitive actions, so the person who records a result is not the person who signs it off.

How is one tenant isolated from another?

Customer data is isolated at the query layer, so one tenant cannot read or reach another tenant's records. Secrets live in a managed vault, never in code, and every build runs SAST and DAST in CI before it ships.

What is your vulnerability disclosure process?

Security researchers can report findings in good faith to our monitored inbox. We acknowledge, investigate, and keep you posted through to a fix, and we will not pursue good-faith research that follows the policy above.

Where does your SOC 2 stand today?

SOC 2 Type II readiness is in progress. We publish status, not claims: nothing on this page is marked attested until the report is in hand.

What can you share for due diligence today?

Tell us what your security team needs to review and we will share our current attestation status and a controls overview. Start from the demo form or email our security team directly.

Due diligence, made easy

Put us through your security review.

Tell us what your security team needs to review. We will share our current attestation status and a controls overview.