Sign inBook a demo
Security & compliance

We sell to security teams. We don't dodge questions.

A complete read on how Identrail handles your data, what we have certified, what we are working on, and what we have not done yet. No vague language, no aspirational claims.
Email security@identrail.comResponsible disclosure
Compliance posture

Honest status, by line item.

If a status here matters to a buyer in your org and is not where they need it to be, talk to us — we'd rather hear that early than late.
StandardStatusDetail
SOC 2 Type IIn progressAudit underway with Drata; expected H2 2026.
SOC 2 Type IIRoadmapFollowing Type I, on a 12-month observation window.
ISO 27001ConsideredWill follow SOC 2 Type II depending on customer demand.
GDPRAlignedEU data residency available; DPA available on request.
HIPAANot yetNo PHI is processed today; not in current scope.
Pen testScheduledFirst third-party pen test scheduled before Type I close.
Security posture

What we do, in the order it matters.

Data handling

Identrail does not store the contents of your secrets.

  • Scans hash credential material at the edge — the secret value never leaves your environment.
  • Connector credentials are encrypted at rest with AES-256 and rotated on a 90-day cadence.
  • Findings, evidence, and metadata are deleted on request within 30 days; immediately for hosted Team customers via the in-app control.
Access

Read-only by default; enforcement is a separate, opt-in surface.

  • Connector setup uses least-privilege read scopes; suggested IAM policies are public in the repo.
  • Policy enforcement requires named operators and an approval gate distinct from setup.
  • No long-running agent. Scans complete and tear down their connection.
Infrastructure

Hosted Identrail runs on hardened, well-known cloud primitives.

  • Hosted on AWS in our customer’s choice of US or EU region (Team), or a private region (Enterprise).
  • All inter-service traffic is mTLS. All data at rest is encrypted with envelope encryption.
  • Infrastructure-as-code; every change passes signed-commit, test, security, and human-review gates before merge.
Read the source

Every detection is in the open repo.

Closed-source security tools ask you to trust their detections. We ask you to read them. The full detection surface — connectors, rules, simulator — is on GitHub.

Repo
Vulnerability handling

Disclose privately, get triage in 72h.

We coordinate disclosure publicly and credit reporters. The full process — triage, fix, advisory — is on the responsible-disclosure page.

Responsible disclosure