Security

How we secure Cipher

A security platform must hold itself to the highest standard. Cipher is built with defense-in-depth principles, transparent practices, and continuous validation.

Security practices

Infrastructure Security

Cipher's infrastructure runs on isolated, ephemeral environments. Exploit simulations execute in sandboxed containers that are destroyed after each verification — no customer code persists beyond the scan lifecycle.

Data Handling

Source code is encrypted in transit (TLS 1.3) and at rest (AES-256). Code is processed in memory during analysis and never stored permanently. Scan results are retained only for the duration specified by your plan's audit history window.

Access Controls

All internal systems enforce least-privilege access with RBAC. Authentication is handled via OAuth 2.0 with support for SSO/SAML on enterprise plans. Every access event is logged and auditable.

Compliance & certifications

SOC 2 Type II

Expected Q3 2026

In Progress

Penetration Testing

Annual third-party assessment

Completed

GDPR Compliance

EU data processing compliant

Active

ISO 27001

Certification roadmap initiated

Planned

Responsible disclosure

We take security reports seriously. If you've discovered a vulnerability in Cipher's platform, we want to hear from you. We commit to acknowledging reports within 24 hours and providing an initial assessment within 72 hours.