Security
Security, audit evidence and AI governance.
This page states what exists now, what is planned, and how security reports should reach us. Thesmios does not claim a SOC 2 Type II report until an independent auditor issues one.
Where we are today
- TLS 1.3 for transport security.
- AWS London, eu-west-2, for the intended core data environment.
- Encryption at rest for production databases and object storage.
- Role-based access for internal systems.
- Secrets stored outside source code in managed secret stores.
- SOC 2 Type II evidence room mapped to controls; no Type II report is claimed until an independent auditor issues it.
- ISO/IEC 27001 and ISO/IEC 27701 readiness evidence room mapped to ISMS and PIMS controls.
- EU AI Act own-product compliance pack for the multi-signal verification system.
- Private bug-bounty and responsible disclosure programme published.
- Security assurance pack for procurement review, launch rehearsals, bounded claims, and enterprise rollout prerequisites.
- Operations evidence pack for liveness, readiness, SLO targets, alert routing, rollback, and restore rehearsal proof.
- Production proof pack for strict-readiness blockers, fixture commands, vendor setup, and customer acceptance evidence.
Roadmap
Cyber Essentials — Q3 2026
Baseline UK control set for secure configuration, access control, malware protection, patching, and firewalls.
SOC 2 Type II readiness — launched
Controls are mapped for observation, with evidence APIs for access, audit, monitoring, confidentiality, vendor risk and change management. The external Type II report still requires an independent CPA auditor and observation period.
ISO 27001 — Q1 2027
Information security management system evidence is live; certification still requires an accredited external audit.
ISO 27701 — Q1 2027
Privacy information management evidence is mapped to owner-controlled sharing, selective disclosure, subprocessors and DSAR/retention controls.
Evidence rooms
SOC 2 Type II readiness
The in-product evidence room maps Trust Services Criteria to operating controls, observation-ready controls and auditor-required evidence. It is a readiness layer, not a substitute for an issued SOC 2 report.
ISO 27001 and 27701 readiness
The ISMS and PIMS evidence room maps access, cryptography, vulnerability management, data minimisation, subprocessors, retention and audit readiness.
EU AI Act own-product pack
Thesmios treats its multi-signal verification system as high-risk-adjacent and maps Article 9-15 controls, Article 26 deployer support, logging, human oversight and post-market monitoring ownership.
Operations evidence pack
The operations pack records health/readiness targets, SLO measurement sources, incident communication rehearsals, alert routing gaps, rollback proof, and restore evidence requirements for buyer and operator review.
Procurement evidence pack
The procurement pack brings together DPA/SLA/subprocessor evidence, a subprocessor change-notice process, and the DPIA/AI governance questionnaire that legal and privacy reviewers need before accepting a tenant launch.
Production proof pack
The production proof pack names the strict-readiness blockers, required fixture inputs, mutating commands, vendor setup, and customer acceptance evidence that must exist before paid launch.
Security assurance pack
Procurement evidence without overclaiming certifications.
Security reviewers need a clear split between controls that are live, controls operated in managed beta, and evidence that still requires an external provider, customer tenant, or production rehearsal.
Vulnerability disclosure
Published security page, bug-bounty page, safe-harbour language, and security contact route.
Record first triage ticket with severity, owner, remediation target, customer-impact decision, and disclosure notes.
Incident response and customer notices
SLA severity model, status subscriptions, protected broadcast route, health endpoint, readiness endpoint, and rollback runbook.
Run a dry-run incident broadcast and attach readiness, deployment, owner, next-update, and mitigation evidence.
Access review and auditability
Tenant roles, invitations, verifier API key lifecycle, audit events, audit anchoring, privacy export, and audit export packages.
Attach owner/granted/denied authenticated smoke output and a sample tenant audit export for each launch tenant.
Evidence file controls
Hash checking, file signature checks, active-content checks, EICAR detection, quarantine status, legal hold, and retention cleanup jobs.
Attach clean, suspicious, and EICAR test uploads plus retention cleanup output before expanding beyond pilot data.
Backup and restore
Managed database and object-storage backup posture is documented on the security page and runbook.
Complete a production-like restore rehearsal with restore time, data integrity sample, owner, and rollback decision recorded.
Penetration test
Pen-test cadence and responsible-disclosure scope are published without claiming an issued report.
Commission independent testing before enterprise production rollout and track remediation evidence to closure.
Vendor and subprocessor risk
DPA, subprocessors page, procurement evidence pack, privacy policy, AI governance material, subprocessor notice process, and data-residency notes are published.
Customer-approved subprocessor notice, data residency decision, signed DPIA/AI questionnaire, and order-form processing scope.
Change management and release checks
Launch smoke, API smoke, readiness checks, route guard checks, source hygiene checks, Vercel deployment inspection, and rollback runbook.
Attach production deployment ID, aliases, command output, and customer-impact decision for each launch release.
Review bundles
| Bundle | Buyer question | Artifacts | Boundary |
|---|---|---|---|
| Vendor risk review | Can procurement understand what is live, what is readiness-only, and what still requires third-party evidence? | Security page; DPA, SLA, privacy, subprocessors, and trust pages; Procurement evidence pack with subprocessor notice and DPIA/AI questionnaire; Capability maturity matrix; Launch evidence pack; This security assurance JSON | SOC 2 Type II, ISO certification, independent pen-test report, and customer-specific DPIA approval are not claimed until issued or signed. |
| Technical security review | Can a security reviewer see route protection, access control, evidence handling, and release-gate proof? | Route security smoke output; Authenticated owner/granted/denied API smoke output; Evidence file screening and quarantine samples; Audit export sample; Verifier API key lifecycle evidence | Authenticated fixture proof and customer-specific evidence samples must be generated against the launch tenant before production traffic. |
| Business continuity review | Can the operator prove health monitoring, incident communication, rollback, and restore readiness? | Health and readiness endpoint output; Operations evidence pack with SLO targets, alert routing, rollback, and restore requirements; Status broadcast dry-run event; Vercel deployment inspect output; Rollback rehearsal record; Backup/restore rehearsal record | External uptime monitor, alert routing, and restore rehearsal evidence must be configured before enterprise rollout. |
| Privacy and AI governance review | Can legal and privacy reviewers see data rights, retention, subprocessors, and AI-system control ownership? | Privacy export proof; Data-rights request proof; Retention/legal-hold policy; EU AI Act own-product pack; Customer-approved processor scope | Deletion fulfilment, processor-side log reconciliation, and customer-approved retention schedules remain tenant-specific launch evidence. |
Rehearsals
Release gate
Every production deployment
Lint, build, launch smoke, API smoke, advisory readiness, deployment ID, and alias confirmation.
npm run lint && npm run build && THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:launch && THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:api
Authenticated access proof
Every launch tenant and before paid expansion
Owner, granted verifier/employer, denied verifier/employer, credential, task, share, and RLS output.
THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:auth-api
Incident communications dry run
Before first paid customer and quarterly
Status subscriber audience, dry-run payload, delivery-count result, owner, severity, and next-update time.
POST /api/status/broadcast with dryRun: true and STATUS_BROADCAST_SECRET.
Backup and restore rehearsal
Before enterprise rollout and semi-annually
Restore point, restored dataset sample, RTO/RPO note, integrity check, and rollback decision.
Attach external provider restore record to the customer implementation evidence pack.
Vulnerability triage rehearsal
Before first paid customer and after material security change
Synthetic vulnerability report, severity, owner, fix SLA, customer-impact decision, and closure proof.
Record as customer request or security operations ticket with linked deployment evidence.
Trust centre scope
Data residency
Primary application data is planned for AWS London, eu-west-2, with customer-specific residency reviewed during enterprise onboarding.
Encryption
TLS 1.3 in transit, managed encryption at rest for databases and object storage, and scoped access to production secrets.
Business continuity
Daily managed backups, disaster-recovery runbooks before production launch, and incident review after material events.
Pentest cadence
Independent penetration test planned before enterprise production rollout and then annually.
Vulnerability disclosure
Security reports route to security@thesmios.com. The private bug-bounty scope, safe harbour and reward bands are published.
Subprocessors
Hosting, email, analytics, and AI subprocessors are listed and reviewed before any production processing.
Vulnerability disclosure
Report security issues responsibly.
Send reports to security@thesmios.com. Please include the affected URL, steps to reproduce, impact, and any supporting evidence. We use a 90-day disclosure window. A PGP key fingerprint will be published once generated.
Incident response
Personal data breaches will be assessed under UK GDPR. Where required, Thesmios will notify the Information Commissioner within 72 hours under Article 33 and notify affected individuals where the legal threshold is met.