Need a deeper review?
Talk to our security team directly.
For questionnaires, architecture walkthroughs, or reviewer follow-up, contact the Sifr team directly and we'll route it to the right person.
Security & Trust Center
Security reviews should get answers, not hand-waving.
This page is for security teams, IT leaders, and compliance reviewers evaluating Sifr. It explains what Sifr accesses, how it protects data, and what controls back the product's governance workflows.
Reviewer focus areas
The three places most security teams want a direct answer.
Data handling
Sifr surfaces metadata needed for AI identity governance and does not require content-level access to the work your agents process.
Access model
Integrations are scoped to what the workflow needs. Ownership assignment, requests, and evidence generation are auditable within the product.
Compliance posture
Evidence packs, audit trails, and runtime governance activity are designed to support external review and internal control validation.
Section01
Risk context
Why AI identity governance matters in practice.
The risk is not abstract. AI agents can end up with live credentials, external tool access, and business context long before ownership and review processes catch up.
!
Production access outlives review
Long-lived credentials and untracked AI identities can remain active after the original builder has moved on or left the company.
◎
Ownership is often assumed
Teams frequently know an agent exists but cannot quickly answer who is accountable for it, what it can reach, or whether it has been reviewed.
◌
Classic IAM tooling misses behavior
Traditional identity tools are not built to show runtime AI activity, prompt-driven workflows, or evidence tied directly to agent governance.
Section02
Protection model
How Sifr protects customer environments and data.
The product is designed to minimize required access, preserve accountability, and make control state visible later through audits and evidence generation.
✓
Least-privilege integrations
Sifr requests the narrowest viable access and uses read-only scopes where the workflow allows it.
⌁
Encrypted in transit and at rest
Customer data and metadata are protected during transfer and storage with standard modern encryption practices.
↺
Auditable operations
Connector changes, ownership actions, request decisions, runtime activity, and report generation can be tied back to an audit trail.
Section03
Compliance posture
Status, readiness, and supporting review materials.
Security reviewers usually want the current state, not marketing claims. This table keeps that simple and direct. Supporting reports and materials can be shared under mutual NDA during a security review.
| Framework | Status | Notes |
|---|---|---|
| SOC 2 Type II | In Progress | Evidence-pack and control workflows are already productized. Formal reporting materials can be shared during review. |
| GDPR | Ready | DPA and privacy review materials can be provided during procurement and security review. |
| ISO 27001 | Planned | Control direction is aligned; certification timeline can be discussed during diligence. |
| Enterprise / regulated deployments | On Request | Security architecture review, questionnaires, and deployment discussions are available with the Sifr team. |
Last reviewed · April 2026