SOMEDGE logo SOMEDGE

Security & Privacy

Last updated: June 2026

Security isn't a feature at Somedge — it's how we engineer every system. This page outlines our security practices, compliance posture, and data handling policies.

Our Security Philosophy

Every system we build assumes breach. Zero-trust architecture isn't optional — it's foundational. We design for minimum blast radius, continuous verification, and least-privilege access.

🔐 Assume Breach

We design systems assuming attackers are already inside. Network segmentation, least-privilege access, and continuous monitoring minimize damage if defenses fail.

🛡️ Defense in Depth

Multiple layers of security controls ensure no single point of failure. If one layer is compromised, others remain intact.

📊 Measurable Security

Security metrics tracked and reported: mean time to detect (MTTD), mean time to respond (MTTR), patch coverage, and audit findings.

Security Practices

Zero-Trust Architecture

We implement identity-centric security with no implicit trust based on network location.

Identity Verification

  • Multi-factor authentication (MFA) required
  • Hardware security keys (YubiKey) for privileged access
  • Continuous identity verification
  • Device posture checks before access

Least-Privilege Access

  • Role-based access control (RBAC)
  • Just-in-time (JIT) access elevation
  • Dynamic credentials with 1-hour TTL
  • No long-lived secrets or API keys

Network Segmentation

  • Micro-segmentation of workloads
  • Service mesh with mutual TLS (mTLS)
  • Network policies enforce least-privilege
  • East-west traffic encrypted & monitored

Data Protection

Encryption Standards

  • In Transit: TLS 1.3 with perfect forward secrecy
  • At Rest: AES-256 encryption for all data stores
  • Database: Transparent data encryption (TDE) enabled
  • Backups: Encrypted with separate key management
  • Key Management: Hardware security modules (HSMs) for root keys

Data Classification

  • Public: Marketing materials, public documentation
  • Internal: Internal processes, non-sensitive data
  • Confidential: Business data, source code, credentials
  • Restricted: Customer PII, PHI, payment data

Each classification has specific handling requirements, access controls, and retention policies.

Secure Development Lifecycle

Code Security

  • Static analysis (SAST) in CI pipeline
  • Dependency vulnerability scanning (SCA)
  • Secret scanning (no hardcoded credentials)
  • Code review required before merge

Application Security

  • OWASP Top 10 testing
  • Dynamic application security testing (DAST)
  • Penetration testing (quarterly)
  • Bug bounty program for responsible disclosure

Infrastructure Security

  • Infrastructure as Code (IaC) scanning
  • Container image scanning
  • Kubernetes security policies
  • CIS benchmarks compliance

Monitoring & Detection

Continuous monitoring across all layers with automated alerting and response.

Real-Time Monitoring

  • SIEM (Security Information and Event Management)
  • Centralized log aggregation & analysis
  • Anomaly detection using machine learning
  • User behavior analytics (UBA)
  • File integrity monitoring (FIM)

Incident Response

  • 24/7 security operations center (SOC)
  • Mean time to detect (MTTD): < 15 minutes
  • Automated response playbooks
  • Incident commander on-call rotation
  • Post-incident reviews & lessons learned

Compliance & Certifications

We maintain compliance with industry standards and help clients achieve their compliance goals.

SOC 2 Type II

Currently in audit process for SOC 2 Type II compliance. Expected completion: Q3 2026.

Controls covered: Security, Availability, Processing Integrity, Confidentiality

HIPAA Compliance

HIPAA-compliant infrastructure and processes for healthcare clients. BAA (Business Associate Agreement) available.

Covered: PHI encryption, audit logging, access controls, breach notification procedures

PCI-DSS Ready

PCI-DSS Level 1 compliant infrastructure for payment processing clients.

Covered: Cardholder data encryption, network segmentation, vulnerability management

GDPR Compliant

GDPR-compliant data handling for EU customers. Data residency in EU regions available.

Covered: Data subject rights, consent management, data portability, right to erasure

ISO 27001 Alignment

Information security management aligned with ISO 27001 standards. Certification planned for 2027.

Covered: Risk management, asset management, access control, cryptography

Cloud Certifications

AWS Advanced Consulting Partner, Azure Expert MSP, Google Cloud Partner.

Team holds: AWS Security Specialty, Azure Security Engineer, GCP Security Professional

Privacy & Data Handling

What Data We Collect

Website Visitors

  • Analytics: Page views, referrers, device type (anonymized)
  • No Cookies: We don't use tracking cookies or third-party analytics
  • Server Logs: IP addresses (retained 90 days for security)

Contact Form Submissions

  • Name, email, company name, message content
  • Timestamp and IP address (for spam prevention)
  • Retention: 3 years or until deletion requested
  • Purpose: Responding to inquiries only

How We Use Your Data

  • Communication: Responding to your inquiries, providing quotes, and following up on projects
  • Service Delivery: If you engage our services, data is used to deliver contracted work
  • Security: Detecting fraud, preventing abuse, and investigating security incidents
  • Legal Compliance: Meeting legal obligations (tax, audit, law enforcement requests)

We never:

  • Sell your data to third parties
  • Share your data for marketing purposes
  • Use your data for AI training (unless explicitly contracted for that purpose)
  • Retain data longer than necessary

Your Rights

You have the following rights regarding your data:

Access

Request a copy of all data we have about you. We'll provide it in a machine-readable format within 30 days.

Correction

Request correction of inaccurate data. We'll update records within 7 business days.

Deletion

Request deletion of your data. We'll permanently delete within 30 days (except where legal retention applies).

Portability

Receive your data in CSV or JSON format for transfer to another service.

Objection

Object to processing for specific purposes. We'll stop unless legal grounds require continuation.

Restrict Processing

Limit how we use your data while disputes are resolved.

To exercise any of these rights, email privacy@somedge.com with your request.

Subprocessors & Third Parties

We use a minimal set of carefully vetted third-party services. All subprocessors are SOC 2 or ISO 27001 compliant.

Service Purpose Data Shared Location
AWS Cloud hosting Form submissions, logs US, EU (selectable)
Cloudflare CDN & DDoS protection IP addresses, HTTP headers Global
Google Workspace Email communication Contact form emails US

We'll notify you 30 days in advance if we add new subprocessors that handle your data.

Security Incidents & Breach Notification

In the unlikely event of a data breach affecting your information:

  1. Detection: Automated monitoring detects anomalies within minutes
  2. Containment: Affected systems isolated immediately
  3. Assessment: Forensic investigation within 24 hours
  4. Notification: Affected parties notified within 72 hours (GDPR requirement)
  5. Remediation: Root cause fixed, security controls strengthened

To report a security vulnerability:

Responsible Disclosure Policy: We appreciate security researchers who report vulnerabilities responsibly. We commit to not pursuing legal action against good-faith researchers and will acknowledge contributions publicly (with permission).

Client Data Protection

For clients engaging our services (AI, security, cloud), we provide additional protections:

Data Processing Agreements

We sign DPAs (Data Processing Agreements) covering data handling, security obligations, and breach notification procedures.

Dedicated Environments

Enterprise clients receive dedicated, isolated infrastructure with no shared resources.

Data Residency

Choose where your data lives: US, EU, or on-premise. Multi-region replication available.

Audit Rights

Enterprise clients can audit our security controls annually or request SOC 2 reports.

Data Deletion

Upon contract termination, all client data is securely deleted within 30 days (or returned if requested).

Backup Encryption

All backups encrypted with client-specific keys. Backups retained 90 days post-termination.

Questions About Our Security?

We're happy to discuss our security practices in detail. Schedule a call with our security team or review our SOC 2 report (available under NDA).

Email Security Team Schedule Call →

Last Updated: June 21, 2026

This policy may be updated periodically. Material changes will be communicated via email to active clients. Continued use of our services constitutes acceptance of the updated policy.