Trust Center
IntelSpec is built for regulated organizations. We expect to be assessed by your security and procurement teams, and this page exists to make that assessment fast. Documentation referenced here is available under NDA on request.
Security architecture
- Hosted on AWS (us-east) with infrastructure managed entirely as code and deployed through reviewed CI pipelines — no manual production changes.
- All customer data is encrypted in transit (TLS 1.2+). Databases, object storage, and audit trails are encrypted at rest (AES-256), with customer-managed AWS KMS keys protecting databases and audit logs.
- Strict tenant isolation: every record is scoped to your organization at the data layer, cross-tenant requests are rejected, and isolation is covered by dedicated tests that run in CI on every change.
- Secrets are stored in AWS Secrets Manager; database credentials rotate automatically. Container images are immutable and vulnerability-scanned before every deployment.
Monitoring & response
- Continuous threat detection (Amazon GuardDuty), configuration compliance monitoring (AWS Config), and centralized findings (Security Hub) across our environment.
- CloudTrail audit logging with customer-managed KMS encryption and tamper-evident log-file validation; high-severity findings from GuardDuty and Security Hub are alerted to the team in real time.
- A documented incident response process with customer notification commitments defined in our DPA (available on request).
Application security
- Role-based access control on every endpoint; TOTP two-factor authentication available on every account; sign in with Google or GitHub. SAML/OIDC SSO for Enterprise is on our near-term roadmap.
- In-product audit log of authentication, configuration changes, and alert dispositions; audit exports are available to your assessors on request.
- Evidence items are timestamped and hashed at capture.
- SAST, dependency, and container vulnerability scanning gate every deployment. Annual third-party penetration testing begins with our SOC 2 program; summaries will be available on request.
Responsible disclosure
We operate a coordinated vulnerability disclosure process. Report vulnerabilities to security@intelspec.io; our machine-readable policy is published at /.well-known/security.txt. We commit to acknowledging reports within 3 business days and will not pursue good-faith research.
Data handling
- We collect external, publicly available, and licensed commercial signal data; the only customer-confidential data we hold is the context you give us (entity lists, cases, notes).
- Built-in export for investigations and reports; organization-level data export and deletion are handled on request via security@intelspec.io.
- DPA available on request; we do not sell or share customer data. Customer context is never used to train shared or third-party models — LLM inference runs on Amazon Bedrock inside our AWS environment, and model providers do not train on its inputs.
Subprocessors
| Name | Purpose |
|---|---|
| AWS | Cloud hosting, storage, and Bedrock model inference |
| Stripe | Payment processing |
| Resend | Transactional email |
| Sentry | Error monitoring; personal data scrubbed |
| Plausible | Privacy-friendly, cookieless analytics |
| Google / GitHub | Optional sign-in identity |
Separately from subprocessors, IntelSpec queries external intelligence sources (such as Have I Been Pwned, Shodan, and VirusTotal) using only the identifiers you ask us to monitor — never your cases, notes, or other customer content.
Compliance roadmap
- SOC 2 Type I: in progress — controls implemented; audit being scheduled.
- SOC 2 Type II: to follow within 12 months of Type I.
- Built to align with NIST CSF; control mapping available on request.
Contact
security@intelspec.io · Responsible disclosure: /.well-known/security.txt