Security

Data Protection

Encryption Standards

• In Transit: TLS 1.3 for all connections. We enforce HTTPS and HSTS.
• At Rest: AES-256 encryption for all stored data.
• Key Management: Hardware security modules (HSMs) for key storage and rotation.
• Secrets: API keys, tokens, and credentials are encrypted with additional envelope encryption.

Data Isolation

Customer workspaces are logically isolated with strict access controls. Your data is never accessible to other customers or used for purposes outside of providing the Service.

Data Retention

You control your data retention policies. Default retention is 90 days for events, with configurable policies available on Enterprise plans. Deleted data is purged within 30 days.

Infrastructure Security

Cloud Infrastructure

• Hosted on major cloud providers with SOC 2 Type II certification
• Multi-region deployment with automated failover
• Virtual private cloud (VPC) isolation
• Network segmentation and firewall rules
• DDoS protection and rate limiting

Backup and Recovery

• Automated daily backups with 30-day retention
• Point-in-time recovery capability
• Cross-region backup replication
• Regular disaster recovery testing

Application Security

Authentication

• Strong password requirements with breach detection
• Multi-factor authentication (MFA) support
• SSO integration (SAML 2.0, OIDC)
• Session management with automatic timeout
• API key authentication with scoped permissions

Authorization

• Role-based access control (RBAC)
• Workspace-level permissions
• Principle of least privilege
• Granular API scopes

Secure Development

• Secure coding guidelines and training
• Automated security scanning in CI/CD
• Dependency vulnerability monitoring
• Code review requirements
• Regular penetration testing by third parties

Compliance and Auditing

Audit Logging

All access and changes are logged with immutable audit trails:

• User authentication events
• API access and operations
• Configuration changes
• Data access and exports
• Administrative actions

Compliance

Context Spine is designed to support your compliance requirements:

• SOC 2 Type II compliant infrastructure
• Data processing agreements available
• Configurable data retention policies
• Export capabilities for audit purposes

Incident Response

We maintain a comprehensive incident response program:

• 24/7 security monitoring and alerting
• Documented incident response procedures
• Regular incident response drills
• Timely customer notification for security incidents
• Post-incident analysis and remediation

Vulnerability Disclosure

We welcome responsible security research. If you discover a security vulnerability, please report it to our security team:

Please include detailed information about the vulnerability and steps to reproduce. We commit to acknowledging reports within 24 hours and working with researchers on responsible disclosure.

Enterprise Security

Enterprise plans include additional security capabilities:

• Custom SSO/SAML configuration
• Advanced audit log retention and export
• Dedicated security review and onboarding
• Custom data residency options
• Security questionnaire and documentation
• SLA with security commitments

Questions?

For security-related questions or to request our security documentation: