Skip to content

Security, compliance, and privacy in one place.

Your training logs contain your IP, your proprietary model architectures, and your training data. We treat them that way. Below is everything procurement, security, and IT need to evaluate Denpex. Request any document under NDA. We typically respond within one business day.

Compliance status

SOC 2 Type II
Planned

SOC 2 Type II planned. Our controls are mapped to the 2017 Trust Services Criteria (below); we'll publish the report once the examination completes.

GDPR DPA
Available

Standard DPA countersigned via DocuSign, typically same-day. EU SCCs included for international transfers.

HIPAA BAA
Available on Data Center

BAA available for healthcare and life-sciences customers on Data Center. Configurable PHI masking rules enforced by the agent.

Penetration test
Planned

Independent third-party penetration testing planned. We'll publish an executive summary once it's complete.

CAIQ v4
Available

Consensus Assessments Initiative Questionnaire v4 completed and available on this page.

Sub-processor list
Published

Live list below. Sub-processor changes are announced 30 days in advance via email and the changelog RSS.

Data flow

A single diagram, end to end. Logs leave your cluster only after masking runs client-side, and on Scale+ the diagnosis engine runs inside your VPC.

01
Your cluster
Training job runs on PyTorch / DeepSpeed / FSDP / Megatron. The Denpex agent wraps the training command and heartbeats every 30 s.
02
Local masking
Client-side PII/PHI masking runs on every line before it leaves the node. Configurable patterns (SSN, emails, MRNs, custom).
03
TLS 1.3 transport
Masked lines shipped over TLS 1.3 to the Denpex control plane. We do not ship raw training data, weights, or model code.
04
Diagnosis engine
Deterministic pattern engine (3500+ classes) + AI fallback for novel errors. Output: root cause, classification, exact fix, resume checkpoint.
05
Artifact store
Anonymized failure signature + fix stored. Raw logs are NOT retained on Free/Team. Scale+ can run entirely in-VPC.
06
Alert fan-out
Diagnosis + fix delivered to Slack, PagerDuty, SMS, iMessage, webhook, or email based on ownership and severity.
Encryption in transit
TLS 1.3 between agent and control plane, between control plane and alert channels.
Encryption at rest
AES-256 in D1, R2, and KV. Customer-managed keys (BYOK) on Data Center.
Data minimization
Free/Team: raw logs deleted after diagnosis. Scale+: in-VPC option with no egress.

Shared responsibility

What's our job and what's yours. Standard cloud model, called out plainly.

Account / SSO / user provisioning
OAuth (Google, Discord, GitHub, Microsoft), email/password
Provision/deprovision users in your IdP; rotate credentials
Encryption in transit
TLS 1.3 on all endpoints
No action required
Encryption at rest
AES-256 (Cloudflare D1, R2, KV). BYOK on Data Center.
Manage your KMS keys (Data Center only)
Agent install
Single-file, stdlib-only Python agent
Cluster access to run the agent; outbound 443 to api.denpex.com
PII / PHI masking
Default patterns for emails, SSNs, MRNs, credit cards. Custom rules supported.
Define organization-specific patterns; review masked samples
Log retention
Free/Team: deleted after diagnosis. Scale+: in-VPC (no log egress).
Set retention policy; honor right-to-delete requests
Backups & DR
Nightly, 30-day retention. DR runbook tested annually. RTO 4h / RPO 1h.
No action required
Network access controls
Cloudflare WAF, rate limiting, bot management
Allowlist api.denpex.com on egress; mTLS on Data Center
Audit logs
Billing, team, and admin actions. 30-day hot / 1-year cold retention.
Export to your SIEM (Splunk/Datadog/Panther) on request
Incident response
24/7 P1 for Data Center; status page at denpex.com/status
Designated security contact; coordinate disclosure windows
Vulnerability management
Independent penetration testing planned; responsible disclosure program; quarterly dependency review
Report suspected issues to security@denpex.com
Compliance
SOC 2 Type II (in progress), GDPR DPA, HIPAA BAA on Data Center, EU data residency on Data Center
Maintain your own compliance posture; honor sub-processor change notices

SOC 2 controls in place

The control set we map to the 2017 Trust Services Criteria.

CC1Code of Conduct & Governance

Information security policies reviewed annually. Security officer: security@denpex.com.

CC2Communication & Information

Internal Slack, GitHub, 1Password, Google Workspace. Quarterly access review.

CC3Risk Assessment

Annual risk register; reviewed quarterly by leadership. Vendor risk assessed at onboarding and yearly thereafter.

CC4Monitoring

Cloudflare Workers logs with Logpush to R2 (30-day retention), D1 audit trail for billing and team changes, Sentry for frontend errors. Real-time tail for critical failures; daily error digest to team Slack.

CC5Control Activities

Change management via GitHub PRs with required reviews; deploys via CI; rollback within 60 seconds.

CC6Logical & Physical Access

SSO enforced; MFA required for all production access. Production data is accessible only via short-lived, audited credentials.

CC7System Operations

Backups nightly, 30-day retention. DR runbook tested annually. RTO 4h / RPO 1h for control-plane data.

CC8Change Management

All production changes go through a PR with at least one reviewer; CI runs lint, typecheck, and unit tests on every commit.

CC9Risk Mitigation

Vendor security reviews at procurement.

A1Availability

Our live status page is at denpex.com/status.

C1Confidentiality

Logs deleted after diagnosis on Free/Team; in-VPC agent option on Scale+; AES-256 at rest, TLS 1.3 in transit.

P1-P8Privacy (GDPR)

DPA on request. Data subject access & deletion requests honored within 30 days. Sub-processor list below.

Sub-processors

Every third party that processes customer data on Denpex's behalf. We give 30 days' notice of changes via email and our changelog RSS.

Cloudflare
Hosting, edge network, KV, D1, Workers, R2
Global edge (data stored in your selected region)
SOC 2 Type II, ISO 27001, PCI DSS
Stripe
Payment processing and subscription management
US, EU (by customer selection)
PCI DSS Level 1, SOC 2 Type II, ISO 27001
SendGrid (Twilio)
Transactional email (signups, alerts, contact replies)
US, EU (region selectable)
SOC 2 Type II, ISO 27001, HIPAA-eligible
LLMZONE / LLM Provider
AI-powered log analysis and failure diagnosis (training logs may contain hostnames, paths, and environment details)
US, EU (provider-dependent)
SOC 2 Type II (provider-dependent)
PostHog
Product analytics (opt-in via cookie consent)
US, EU
SOC 2 Type II
GitHub
Source code hosting, CI/CD, issue tracking
US (data in your selected region)
SOC 2 Type II, ISO 27001
Slack (optional)
Alert delivery when customer configures Slack as a channel
US
SOC 2 Type II, ISO 27001, FedRAMP Moderate
PagerDuty (optional)
Incident routing when customer configures PagerDuty as a channel
US, EU
SOC 2 Type II, ISO 27001, HIPAA
Twilio (optional)
SMS / iMessage alert delivery when customer configures it
US, EU
SOC 2 Type II, ISO 27001, HIPAA-eligible
Certifications listed are each sub-processor's own attestations (vendor-attested), not Denpex certifications.
We give 30 days' notice before adding a new sub-processor via email and the changelog RSS feed. Customers may object in writing; if we cannot resolve the concern you may terminate the affected services for a pro-rated refund.

Responsible disclosure

Found a vulnerability? Please email security@denpex.com with reproduction details. We acknowledge within one business day and aim to ship a fix within 30 days for valid issues.

Security contact & policy: /.well-known/security.txt

Request a document

Tell us which document you need and we'll send it under NDA, signed electronically.

We respond within one business day. Documents are sent under NDA via DocuSign.