Security Roadmap
What's live, what's next, and what triggers it
We publish trigger-tied milestones, not calendar dates. A missed date is a credibility hit; a trigger that hasn't fired yet is honest scope.
Live today
- Hash-chained audit trail — SHA-256 chain, auditor-verifiable without an account.
- Row-level tenant isolation enforced by RLS + SECURITY DEFINER helpers.
- 2FA mandatory for elevated roles (admin, CCO, MLRO); AAL2 enforced server-side.
- Continuous code scanning (Aikido): SAST, secrets, IaC, dependency. Code only — no customer data.
- EU data residency — primary database and file storage in EU (Ireland).
- Encryption: TLS 1.2+ in transit (HSTS preloaded); AES-256 at rest.
- Published Vulnerability Disclosure Policy + /.well-known/security.txt.
Trigger-tied next steps
- Independent penetration test (SoW already published)Trigger: First paid pilot signed, or first enterprise procurement requirement.
- Cloud security posture management (CSPM) selectedTrigger: Within 90 days of first paying customer onboarding, or first enterprise procurement requirement.
- Documented backup-restore drill from production snapshotTrigger: Within 60 days of first paying customer onboarding.
- SOC 2 Type I — observation window openedTrigger: Within 6 months of Series A close, or before second enterprise customer onboarding.
- SOC 2 Type IITrigger: 12 months after Type I report issued.
- ISO 27001 ISMS initiatedTrigger: Once headcount supports a dedicated security function (≥1 FTE).
- Storage-level WORM / audit-trail immutability beyond hash chainTrigger: When required by a contracted customer, or before SOC 2 Type II.
- Per-tenant session-timeout policy and IP allow-listTrigger: Before first enterprise customer onboarding, or on request.
Why trigger-tied?
A single founder pre-funding cannot commit to a calendar date for SOC 2 without misleading buyers — the audit window alone is six months, the cost is £20–40k, and the controls need someone who runs them weekly. Tying each milestone to the event that funds and justifies it keeps the roadmap honest.
If you need a specific milestone hit on a specific date as a contract condition, we'll quote it as part of the pilot — transparently, with cost and timeline attached. No private commitments. No published dates we can't keep.
See also: Trust Centre, Vulnerability Disclosure Policy, AI Use Disclosure.