Security
Security posture and roadmap.
This page states what exists now, what is planned, and how security reports should reach us.
Where we are today
- TLS 1.3 for transport security.
- AWS London, eu-west-2, for the intended core data environment.
- Encryption at rest for production databases and object storage.
- Role-based access for internal systems.
- Secrets stored outside source code in managed secret stores.
Roadmap
Cyber Essentials
Target Q3 2026. Baseline UK control set for secure configuration, access control, malware protection, patching, and firewalls.
ISO 27001
Target Q1 2027. Information security management system with risk assessment, controls, audit, and continuous improvement.
SOC 2 Type II
Target Q4 2027. Independent report on controls operating over time for enterprise buyers.
Vulnerability disclosure
Report security issues responsibly.
Send reports to security@thesmios.com. Please include the affected URL, steps to reproduce, impact, and any supporting evidence. We use a 90-day disclosure window. A PGP key fingerprint will be published once generated.
Incident response
Personal data breaches will be assessed under UK GDPR. Where required, Thesmios will notify the Information Commissioner within 72 hours under Article 33 and notify affected individuals where the legal threshold is met.