Identity and access data is among the most sensitive information in your organization. Here's exactly how Sifr AI protects it — and how we hold ourselves accountable.
Core controls protecting your identity data at every layer.
All stored data encrypted with AES-256. Encryption keys managed separately from data with automatic rotation.
✓ ActiveTLS 1.2+ enforced on all connections. HSTS headers set. No plain HTTP accepted anywhere in the stack.
✓ ActiveAll admin access requires Auth0 SSO. MFA enforced for all team members with access to production systems.
✓ ActiveAll write-back actions, login events, and configuration changes logged with actor, timestamp, and outcome. Tamper-evident.
✓ ActiveInternal team access scoped to job function. Sifr reads only the identity data necessary to perform governance analysis.
✓ ActiveProduction environment isolated from development and staging. No shared credentials between environments.
✓ ActiveThird-party pen testing scheduled annually. Findings remediated before next release cycle. Results summarized on request.
In ProgressAutomated vulnerability scanning on all dependencies via GitHub Dependabot. Critical CVEs patched within 24 hours.
✓ ActiveHow Sifr accesses and processes your identity data.
Where we are today and what we're actively working toward.
Formal audit in progress. We have implemented the controls required for Trust Service Criteria: Security, Availability, and Confidentiality. Report expected Q3 2026.
In ProgressData processing agreements (DPAs) available for EU customers. Data subject request workflows supported. EU-region hosting available.
✓ AvailableInformation security management system (ISMS) policies documented and in effect. Formal ISO 27001 certification planned for 2027.
Planned 2027Sifr AI governs user access — it does not store or process Protected Health Information (PHI). BAA available for healthcare customers upon request.
✓ BAA AvailableAccess review workflows, SoD violation detection, and audit trails are designed to support SOX Section 404 compliance evidence requirements.
✓ Controls in PlaceCalifornia Consumer Privacy Act data handling requirements supported. Personal data access, deletion, and opt-out requests honored within required timelines.
✓ ActiveHow we think about the data you entrust to us.
Your identity data is used exclusively to provide IAM governance analysis. It is never sold, shared with third parties for marketing, or used to train AI models.
We only request the scopes required for governance analysis. If a feature doesn't need a field, we don't collect it. Permissions are reviewed quarterly.
Your data is fully isolated from other customers. No cross-tenant data access is possible by design. Each tenant's data is stored and processed separately.
AI risk scores are explainable — every recommendation includes the signals that drove it. The AI assistant is scoped to IAM topics only and does not access raw identity data during chat.
You can export all your data (audit logs, reviews, requests) at any time. On cancellation, all data is deleted within 30 days and a deletion receipt is provided.
In the event of a data breach affecting your organization, we will notify you within 72 hours in compliance with GDPR Article 33 and applicable state laws.
How Sifr's own team accesses systems and your data.
How we respond when something goes wrong — and our commitments to you.
Automated alerting via uptime monitoring and anomaly detection on access logs. On-call engineer notified within 5 minutes of detection.
Affected systems isolated. Credentials rotated. Customer access suspended if required to limit blast radius.
Affected customers notified within 72 hours with: incident description, data affected, steps taken, and remediation timeline. No vague "we take security seriously" communications.
Blameless post-mortem written within 5 business days. Root cause, contributing factors, and prevention measures documented and shared with affected customers on request.
Found a security vulnerability? We want to hear from you.
If you discover a security vulnerability in Sifr AI, please report it privately to security@sifrhq.com. We will acknowledge receipt within 24 hours, provide a timeline within 72 hours, and keep you informed throughout remediation.
We follow coordinated disclosure — we ask that you give us 90 days to remediate before public disclosure. We do not pursue legal action against good-faith security researchers. Significant findings may be eligible for recognition in our security acknowledgements.
Sifr fetches identity data from your IdP in real-time and caches it for a short TTL (5 minutes) to improve performance. Audit logs and access request history are stored persistently in your Sifr database. Raw identity records (users, roles) are not permanently copied — they are refreshed from source on each analysis run.
No. Your identity data is never used to train AI models — ours or OpenAI's. Sifr sends anonymized aggregated statistics (user counts, role counts) as context to the AI assistant, not individual records. We have a zero-training data policy for all customer data.
Upon cancellation, your data is deleted within 30 days of account closure. You will receive a deletion confirmation. You can also request immediate deletion at any time by emailing privacy@sifrhq.com.
Yes. For Enterprise customers, we complete standard vendor security questionnaires. Contact enterprise@sifrhq.com with your questionnaire and we'll return it within 5 business days.
Yes. Sifr AI governs access to systems — it does not store or process Protected Health Information. A BAA is available for healthcare organizations requiring it as part of their vendor due diligence. Request one at legal@sifrhq.com.
Sifr AI is hosted on Railway, which runs on AWS infrastructure. Our default deployment is in the US East region. EU-region hosting (AWS eu-west-1) is available for European customers with data residency requirements.