Trust Center

Honest about what's shipped, in progress, and planned.

We sell compliance, so we hold ourselves to the same standard we sell to. Here's how we secure your data, what we're certified for today, who we share data with, and where we are on the compliance journey.

Request security review Read AI safety statement

Status legend:LiveAvailable todayIn progressAudit or work underwayPlannedOn the roadmap

Built for the regulated mid-market

50+
Frameworks supported
12
AI specialist agents
100%
Audit-traceable actions
Unlimited
Users · flat fee
24/7
Vendor monitoring

Our compliance posture

Where we are on the journey.

We won't claim certifications we don't have. Here's the real status.

SOC 2 Type I

In progress

Currently undergoing audit. Report will be available under NDA when complete.

ISO 27001 alignment

Live

Internal security program aligned to ISO/IEC 27001:2022 controls. Formal certification on the roadmap.

NIST CSF 2.0 alignment

Live

Internal control program organized against the six NIST CSF 2.0 functions: Govern, Identify, Protect, Detect, Respond, Recover.

SOC 2 Type II

Planned

Will follow Type I report. Required for many enterprise procurement workflows.

For your program

Eleven frameworks pre-seeded for your audits.

Separate from our own compliance posture above — these are the frameworks Thirdsentry ships ready-to-use for customer programs, with controls, evidence requirements, and cross-framework mappings already in place.

Browse all frameworks

SOC 2 TSC
ISO 27001:2022
NIST CSF 2.0
NIST SP 800-53 Rev 5
CIS Controls v8.1
PCI DSS v4.0.1
HIPAA Security Rule
GDPR
NYDFS Part 500
NYSDOH 405.46
Custom frameworks

Security architecture

Eight controls that live in the code.

Architectural — not aspirational. Every item below is enforced in the codebase today.

Tenant isolation, server-side

Every query, retrieval, and AI tool call is bound to the calling organization via server-side context (contextvars). The LLM cannot see another customer's data — and cannot supply or override the org_id even if asked.

AWS Bedrock via STS AssumeRole

AI inference runs on AWS Bedrock (Claude Sonnet 4.5) accessed via STS AssumeRole — no shared API keys, no third-party prompt proxies. Embeddings use Titan Embed Text v2.

AuditLog on every mutation

Every change to a record — including every Effy AI tool call — writes a row to an append-only AuditLog with actor, timestamp, and action. Soft-delete only on audit-significant records.

AUDITOR role enforced at the data layer

Read-only role guarded in the database, not just the UI. Auditors can view, comment, and submit reviews — but cannot edit a record, accidentally or otherwise.

Immutable PolicyVersion

When a policy is published, a PolicyVersion record locks. Drafts and approved-but-unpublished content stay separate so an auditor sees what was published, when, and by whom.

Encryption in transit and at rest

TLS 1.2+ for all in-transit traffic. AES-256 encryption at rest via the underlying managed services. Backups encrypted with the same standards.

Role-based access control

Nine production roles enforced server-side on every API route — Organization Master, Admin, GRC Manager, Organization User, Auditor, plus Vendor and Assessor surfaces. Frontend gates are UX only; the security guarantee is in the API layer.

Hosted on AWS

All production infrastructure runs on AWS managed services with vendor-attested compliance posture (SOC 2, ISO 27001, FedRAMP). MongoDB Atlas for primary data, S3 for evidence storage.

We use AI on your data — so we wrote down exactly how we use it responsibly. Six practices, four standards we align with, full accountability for every Effy action. No black box.

AI Safety at Thirdsentry · 5-minute readRead the full statement

Sub-processors

Who we share your data with.

The full, current list. We notify customers in advance of any change.

Sub-processorPurposeRegion

Amazon Web ServicesCloud infrastructure, AI inference (Bedrock), file storage (S3), email (SES)US (configurable per customer)

MongoDB AtlasPrimary database with managed Vector Search for RAG retrievalUS

Anthropic (via AWS Bedrock)Primary LLM provider — Claude Sonnet 4.5. Accessed via AWS Bedrock; data stays in your AWS region.Customer's AWS region

OpenAIFallback LLM, server-side only via the AI service. Not used in default routing.US

Integrity stack

Enforced top-to-bottom in the data layer

Verified

01AUDITOR role
Read-only enforced in the database — not a UI permission toggle
02Immutable PolicyVersion
Locked at publish — drafts and approved-but-unpublished stay separate
03Tenant isolation
getGrcOrgFilter enforced server-side — query-level, not config
04AuditLog + soft-delete
Every mutation logged; audit-significant records never hard-deleted

Defensible to your examiner — not just your auditor

Verified in codebase

Defensible edge · Auditor-grade by architecture

Integrity is a property of the data layer, not a config setting.

Most platforms enforce auditor-grade behavior through RBAC configuration that admins can change. We enforce it architecturally — at the database query layer, in the schema, in the code path. An admin cannot accidentally weaken the guarantees, and an examiner can verify them in the codebase.

Most competitors implement this via RBAC settings that admins can mutate. Ours is structural — verified in the codebase, enforced server-side, immutable at the data layer.

See the architecture

Documents