Everything your security team needs to evaluate us — certifications, sub-processors, data residency, and the documents enterprise procurement asks for. Most are NDA-gated; ping us and we'll send them within a business day. For control-level detail, see /security.

Request documents Customer compliance services

Certifications & frameworks

Where we are today. Honest status — not a green checkmark on something that isn't live yet.

SOC 2 Type II

In progress

Audit observation window underway. Type I report and gap-closure evidence available on request under NDA.

Target: Q2 2026

ISO 27001

Planned

Certification work begins after SOC 2 Type II issues. ISMS documentation and Stage 1 audit targeted within 12 months.

Target: Q4 2026

GDPR

Operational

DPA template, sub-processor list, and data subject request workflow are in place. EU data residency available on Azure and AWS.

Target: Live

HIPAA

BAA Available

Business Associate Agreement available for health-tech customers. PHI segmentation, encryption, and audit logging are baseline for HIPAA workloads.

Target: Live

Control-level detail

Security practices we operate

Encryption, identity, network isolation, access control, vulnerability management, and code provenance — the controls behind the certifications above.

Read /security

Data residency

Customer data lives in the region you choose. Three cloud providers, multi-region in each.

United States

AWS us-east-1, us-west-2 · Azure East US, West US 2 · GCP us-central1

European Union

AWS eu-west-1, eu-central-1 · Azure West Europe, North Europe · GCP europe-west1

Other regions

Available on request — UK, Canada, Asia-Pacific. We deploy where you need us.

Sub-processors

Vendors that may process customer data on our behalf. Updated as relationships change.

Vendor	Purpose	Region
AWS	Primary cloud infrastructure (compute, storage, database, network)	US, EU, multi-region
Microsoft Azure	Alternate cloud infrastructure for Azure-first customers	US, EU, multi-region
Google Cloud (GCP)	Alternate cloud infrastructure for GCP-first customers	US, EU, multi-region
Cloudflare	DNS, edge caching, DDoS mitigation	Global edge
GitHub	Source control and CI/CD orchestration	US
Stripe	Payment processing for FencePencil subscriptions	US, EU
Resend	Transactional email delivery	US
PagerDuty	On-call escalation and incident notification	US
Datadog	Optional metrics and log aggregation (when enabled)	US, EU
Atlassian	Project management (Jira, Confluence) for FencePencil internal use	US, EU

Documents available on request

Most security documentation is gated by NDA. Reach out and we'll send them quickly.

DPA template

GDPR-compliant Data Processing Agreement, ready to countersign.

BAA template

HIPAA Business Associate Agreement for health-tech customers.

Security questionnaire

Pre-filled responses to the SIG, CAIQ, and a typical enterprise vendor questionnaire.

SOC 2 Type I report

Available under NDA. Type II report available on issue (Q2 2026).

Penetration test summary

Annual third-party pen test summary letter. Full report available under NDA.

System status

Real-time service status across the FencePencil platform.

Status page

Report a vulnerability

Found a security issue? Disclose responsibly and we'll respond within one business day.

Report it