Security & Privacy

Trust Center

SentiQore processes sensitive business continuity data for regulated organisations across the MENA region. This page documents our security posture, sub-processors, data residency, and compliance roadmap — so your security team can make an informed evaluation.

Certifications & Encryption

TLS 1.3Active

All data in transit encrypted

AES-256Active

All data at rest (Supabase default)

GDPR / DSGVOActive

EU data residency · AVV on request

SOC 2 Type IIPlanned

Audit targeted Q4 2026

ISO 27001Planned

Roadmap H1 2027

Annual PentestPlanned

First engagement planned Q3 2026

Data Residency

Client BCM data is stored in Supabase Frankfurt (AWS eu-central-1) — European Union. Application requests are served via Vercel EU edge nodes. AI inference calls transit to Anthropic infrastructure in the USA; Anthropic does not retain or store your data under the API agreement, and your BCM content is not used for model training.

Database: EU Frankfurt (eu-central-1)
Application: Vercel EU edge
Auth: Clerk (US, SOC 2 Type II)
AI inference: Anthropic US — no retention

Sub-Processors

Complete list as of June 2026. Changes communicated via email with 30 days notice before any new sub-processor is added.

ProcessorPurposeLocationData transferred
ClerkIdentity & authentication (email/password, Google OAuth, MFA, sessions)USA — SOC 2 Type II certifiedEmail address, authentication credentials, session tokens, MFA secrets
SupabasePrimary database & file storageEU — Frankfurt, AWS eu-central-1All client BCM data: risk registers, BIA, recovery strategies, governance records
VercelApplication hosting & global edge networkEU — Edge nodes in EU regionsHTTP request metadata, application logs (no BCM content)
Lemon SqueezyPayment processing & subscription billing (Merchant of Record)USA — PCI-DSS compliantBilling email, subscription status — card numbers handled by Lemon Squeezy directly, never stored on SentiQore infrastructure
AnthropicAI inference for Rasid analyst (threat analysis, playbooks, dossiers)USA — SOC 2 Type II certifiedContent of Rasid AI prompts drawn from active client context only — not retained or used for model training per Anthropic API agreement

Access Control & Identity

Multi-Factor Authentication (MFA)

MFA is available for all accounts via TOTP authenticator apps (Authy, Google Authenticator, etc.). Enterprise plans can enforce MFA organisation-wide — no team member can access the platform without a second factor.

SSO / SAML 2.0

SAML 2.0 Single Sign-On is available on Enterprise plans. Contact sales@sentiqore.com for setup, metadata exchange, and onboarding assistance.

Role-Based Access Control

Three-tier model: Platform Admin (BITS), Subscriber (team owner & members), Client viewer. Each entity is tenant-isolated at the database level via Supabase row-level security — no cross-tenant access is possible.

Audit Logs

Full audit trail of entity changes, user actions, and access events available in the admin console on Enterprise plans. Retention: 12 months. Export available on request or via the API.

Data Handling & Exit Rights

  • All client BCM data belongs to you. Export your full dataset at any time via Settings > Export or the /api/export/me endpoint. The export is a single JSON file containing all your organisations, risk registers, BIA, governance records, and contacts.
  • On account cancellation, data is retained for 30 days for recovery, then permanently and irreversibly deleted from all sub-processors.
  • Data deletion requests are fulfilled within 72 hours. Email privacy@sentiqore.com with your account email.
  • Your data is never used to train AI models. Rasid queries are processed in-flight and discarded — Anthropic does not retain API inputs per our API agreement.
  • Passwords are never stored by SentiQore — authentication is fully delegated to Clerk, which hashes credentials using bcrypt.

Data Processing Agreement (DPA / AVV)

A Data Processing Agreement (DPA) / Auftragsverarbeitungsvertrag (AVV) per Art. 28 GDPR is available for all paying customers. It covers all sub-processors listed above and includes EU Standard Contractual Clauses (SCCs) for sub-processors in third countries (Clerk, Anthropic).

Request it by emailing legal@sentiqore.com with your company name, registered address, and jurisdiction.

Typical turnaround: 2 business days.

Responsible Disclosure

Found a vulnerability? Email security@sentiqore.com with a description, reproduction steps, and potential impact. We commit to acknowledging within 24 hours and providing a resolution timeline within 72 hours. We do not pursue legal action against good-faith security researchers acting within scope.

SentiQore is a product of BITS Blackrock IT Solutions LLC · Privacy Policy · Terms of Service

Last updated: June 2026