Everything your security team needs to evaluate FencePencil — certifications, sub-processors, security controls, and the documents enterprise procurement asks for. Most things are NDA-gated; ping us and we'll send them within a business day.

Request documents Customer compliance services

Certifications & frameworks

Where we are today. Honest status — not a green checkmark on something that isn't live yet.

SOC 2 Type II

In progress

Audit observation window underway. Type I report and gap-closure evidence available on request under NDA.

Target: Q2 2026

ISO 27001

Planned

Certification work begins after SOC 2 Type II issues. ISMS documentation and Stage 1 audit targeted within 12 months.

Target: Q4 2026

GDPR

Operational

DPA template, sub-processor list, and data subject request workflow are in place. EU data residency available on Azure and AWS.

Target: Live

HIPAA

BAA Available

Business Associate Agreement available for health-tech customers. PHI segmentation, encryption, and audit logging are baseline for HIPAA workloads.

Target: Live

Security practices

Baseline controls operating across all FencePencil environments.

Encryption everywhere

All data encrypted in transit (TLS 1.2+) and at rest (KMS-managed keys, customer-managed where needed). No plaintext secrets in code, logs, or backups.

Continuous monitoring

24/7 monitoring across customer environments. Alerts to PagerDuty within minutes of anomalies. SIEM ingestion for security events.

Network isolation

Per-customer cloud accounts (or VPC isolation when colocated). No shared compute, no shared databases, no cross-customer data flow.

Access controls

Engineer access via IdP-backed SSO + MFA. Production access requires just-in-time elevation, logged and time-bounded. Least-privilege IAM by default.

Audit logging

CloudTrail, Azure Activity Log, GCP Cloud Audit — all enabled, retained, and shipped to immutable storage. Available to customers under NDA.

Incident response

Documented runbooks, on-call rotation, and 5-business-day postmortem commitment for every P1 incident.

Sub-processors

Vendors that may process customer data on our behalf. Updated as relationships change.

Vendor	Purpose	Region
AWS	Primary cloud infrastructure (compute, storage, database, network)	US, EU, multi-region
Microsoft Azure	Alternate cloud infrastructure for Azure-first customers	US, EU, multi-region
Google Cloud (GCP)	Alternate cloud infrastructure for GCP-first customers	US, EU, multi-region
Cloudflare	DNS, edge caching, DDoS mitigation	Global edge
GitHub	Source control and CI/CD orchestration	US
Stripe	Payment processing for FencePencil subscriptions	US, EU
Resend	Transactional email delivery	US
PagerDuty	On-call escalation and incident notification	US
Datadog	Optional metrics and log aggregation (when enabled)	US, EU
Atlassian	Project management (Jira, Confluence) for FencePencil internal use	US, EU

Documents available on request

Most security documentation is gated by NDA. Reach out and we'll send them quickly.

DPA template

GDPR-compliant Data Processing Agreement, ready to countersign.

BAA template

HIPAA Business Associate Agreement for health-tech customers.

Security questionnaire

Pre-filled responses to the SIG, CAIQ, and a typical enterprise vendor questionnaire.

SOC 2 Type I report

Available under NDA. Type II report available on issue (Q2 2026).

Penetration test summary

Annual third-party pen test summary letter. Full report available under NDA.

System status

Real-time service status across the FencePencil platform.

Status page

Report a vulnerability

Found a security issue? Disclose responsibly and we'll respond within one business day.

Report it