Security, compliance, and privacy in one place.
Your training logs contain your IP, your proprietary model architectures, and your training data. We treat them that way. Below is everything procurement, security, and IT need to evaluate Denpex. Request any document under NDA. We typically respond within one business day.
Compliance status
SOC 2 Type II planned. Our controls are mapped to the 2017 Trust Services Criteria (below); we'll publish the report once the examination completes.
Standard DPA countersigned via DocuSign, typically same-day. EU SCCs included for international transfers.
BAA available for healthcare and life-sciences customers on Data Center. Configurable PHI masking rules enforced by the agent.
Independent third-party penetration testing planned. We'll publish an executive summary once it's complete.
Consensus Assessments Initiative Questionnaire v4 completed and available on this page.
Live list below. Sub-processor changes are announced 30 days in advance via email and the changelog RSS.
Data flow
A single diagram, end to end. Logs leave your cluster only after masking runs client-side, and on Scale+ the diagnosis engine runs inside your VPC.
Shared responsibility
What's our job and what's yours. Standard cloud model, called out plainly.
SOC 2 controls in place
The control set we map to the 2017 Trust Services Criteria.
Information security policies reviewed annually. Security officer: security@denpex.com.
Internal Slack, GitHub, 1Password, Google Workspace. Quarterly access review.
Annual risk register; reviewed quarterly by leadership. Vendor risk assessed at onboarding and yearly thereafter.
Cloudflare Workers logs with Logpush to R2 (30-day retention), D1 audit trail for billing and team changes, Sentry for frontend errors. Real-time tail for critical failures; daily error digest to team Slack.
Change management via GitHub PRs with required reviews; deploys via CI; rollback within 60 seconds.
SSO enforced; MFA required for all production access. Production data is accessible only via short-lived, audited credentials.
Backups nightly, 30-day retention. DR runbook tested annually. RTO 4h / RPO 1h for control-plane data.
All production changes go through a PR with at least one reviewer; CI runs lint, typecheck, and unit tests on every commit.
Vendor security reviews at procurement.
Our live status page is at denpex.com/status.
Logs deleted after diagnosis on Free/Team; in-VPC agent option on Scale+; AES-256 at rest, TLS 1.3 in transit.
DPA on request. Data subject access & deletion requests honored within 30 days. Sub-processor list below.
Sub-processors
Every third party that processes customer data on Denpex's behalf. We give 30 days' notice of changes via email and our changelog RSS.
Responsible disclosure
Found a vulnerability? Please email security@denpex.com with reproduction details. We acknowledge within one business day and aim to ship a fix within 30 days for valid issues.
Security contact & policy: /.well-known/security.txt
Request a document
Tell us which document you need and we'll send it under NDA, signed electronically.