ThemisIQ Compliance Inc.

Security at ThemisIQ

ThemisIQ processes your most sensitive compliance data — GHG inventories, workforce metrics, supply chain records, and cyber risk registers. We take security seriously, not as a checkbox, but as a foundational design requirement.

TIQ-SEC-001
Policy ID
v2.0
Version
security@themisiq.co
Report issues
Certifications & compliance

Our security posture.

🛡️
SOC 2 Type I
Target: Q4 2026 — gap assessment in progress
In progress
🛡️
SOC 2 Type II
Target: Q2 2027 — dependent on Type I completion
In progress
📋
ISO 27001:2022
Target: Q2 2027 — controls mapped, ISMS design phase
In progress
🔒
PIPEDA & Law 25 (Québec)
DPA templates complete · privacy breach procedures in place
Compliant
🌍
GDPR / UK GDPR — data processor
Standard Contractual Clauses (SCCs) in place · DPA available on request
Compliant
💳
PCI DSS
Payment processing via Stripe (PCI DSS Level 1) — ThemisIQ never stores card data
Via Stripe
Infrastructure

Where your data lives.

🗄️
Database — Supabase (AWS)
All customer platform data stored in Supabase on AWS infrastructure. Supabase holds SOC 2 Type II and ISO 27001 certifications. US-East region by default.
☁️
Application — Vercel
ThemisIQ application hosted on Vercel with global CDN. Vercel holds SOC 2 Type II certification. HTTPS enforced on all endpoints; HSTS enabled.
💳
Payments — Stripe
All payment processing handled by Stripe, PCI DSS Level 1 certified. ThemisIQ never stores, processes, or transmits card numbers.
💾
Backups — continuous PITR
Continuous point-in-time recovery with 30-day retention. Backups replicated to geographically separate AWS region. RTO: 4 hours. RPO: 1 hour.
Data protection

How your data is protected.

Encryption in transit
All data transmitted to and from ThemisIQ is encrypted using TLS 1.2 or higher. TLS 1.0 and 1.1 are disabled.
Encryption at rest
All data at rest is encrypted using AES-256 at the storage layer via AWS-managed encryption keys.
Tenant isolation
Your data is logically isolated from all other customers using database-level Row-Level Security (RLS) enforced by tenant_id. Cross-tenant data access is architecturally impossible.
Immutable audit trail
All changes to your compliance data are logged in an immutable audit trail written by the database — not the application. Cannot be modified by any user or administrator.
No AI training on your data
Your compliance data is not used to train AI models. Only structured prompts are sent to our AI provider — never raw customer data.
Access control

Who can access your data.

You control access
You manage user access within your organisation via ThemisIQ's role-based access control (RBAC). User roles: Administrator, Editor, Viewer.
ThemisIQ staff access
ThemisIQ employees do not have routine access to customer platform data. Support access requires a documented request, approval, and is logged.
MFA mandatory
Multi-factor authentication is mandatory for all ThemisIQ staff accessing production systems. We recommend enabling MFA for all customer accounts.
Least privilege
ThemisIQ staff access follows least-privilege principles. Privileged access is reviewed quarterly.
Offboarding
All system access is revoked within 1 hour of any staff termination — voluntary or involuntary.
Incident response

What happens if something goes wrong.

01
Detect
We monitor all production systems 24/7 for anomalies, security events, and unauthorised access attempts.
02
Contain
P1 incidents are contained within 1 hour of detection. Affected systems are isolated immediately.
03
Notify
You are notified within 24 hours of a confirmed data breach affecting your data. Regulatory notifications within 72 hours.
04
Review
Every P1 and P2 incident has a mandatory post-incident review within 14 days. Findings shared with affected customers on request.
Vulnerability management

Keeping the platform secure.

Weekly scanningAutomated vulnerability scanning across all production systems every week
Critical patchesApplied within 7 days of discovery
Annual penetration testBy an independent third-party security firm. Findings tracked to closure.
Dependency scanningAll third-party code dependencies scanned for known vulnerabilities in the CI/CD pipeline on every build
Code reviewAll code changes require peer review before merging to production
Secrets managementAPI keys and credentials managed via secure environment variable injection — never committed to source code
Report a security issue

Responsible disclosure.

If you discover a security vulnerability or believe you have seen suspicious activity in your ThemisIQ account, please contact us immediately. We take all security reports seriously and will respond within 24 hours.

Security team — ThemisIQ Compliance Inc.
Response time: 24 hours for all security reports
We do not pursue legal action against researchers acting in good faith.
Enterprise security reviews
Penetration test reports, SOC 2 bridge letters, and full security questionnaire responses are available on request for enterprise customers conducting security due diligence.