Security & Privacy
SentiQore processes sensitive business continuity data for regulated organisations across the MENA region. This page documents our security posture, sub-processors, data residency, and compliance roadmap — so your security team can make an informed evaluation.
All data in transit encrypted
All data at rest (Supabase default)
EU data residency · AVV on request
Audit targeted Q4 2026
Roadmap H1 2027
First engagement planned Q3 2026
Client BCM data is stored in Supabase Frankfurt (AWS eu-central-1) — European Union. Application requests are served via Vercel EU edge nodes. AI inference calls transit to Anthropic infrastructure in the USA; Anthropic does not retain or store your data under the API agreement, and your BCM content is not used for model training.
Complete list as of June 2026. Changes communicated via email with 30 days notice before any new sub-processor is added.
| Processor | Purpose | Location | Data transferred |
|---|---|---|---|
| Clerk ↗ | Identity & authentication (email/password, Google OAuth, MFA, sessions) | USA — SOC 2 Type II certified | Email address, authentication credentials, session tokens, MFA secrets |
| Supabase ↗ | Primary database & file storage | EU — Frankfurt, AWS eu-central-1 | All client BCM data: risk registers, BIA, recovery strategies, governance records |
| Vercel ↗ | Application hosting & global edge network | EU — Edge nodes in EU regions | HTTP request metadata, application logs (no BCM content) |
| Lemon Squeezy ↗ | Payment processing & subscription billing (Merchant of Record) | USA — PCI-DSS compliant | Billing email, subscription status — card numbers handled by Lemon Squeezy directly, never stored on SentiQore infrastructure |
| Anthropic ↗ | AI inference for Rasid analyst (threat analysis, playbooks, dossiers) | USA — SOC 2 Type II certified | Content of Rasid AI prompts drawn from active client context only — not retained or used for model training per Anthropic API agreement |
Multi-Factor Authentication (MFA)
MFA is available for all accounts via TOTP authenticator apps (Authy, Google Authenticator, etc.). Enterprise plans can enforce MFA organisation-wide — no team member can access the platform without a second factor.
SSO / SAML 2.0
SAML 2.0 Single Sign-On is available on Enterprise plans. Contact sales@sentiqore.com for setup, metadata exchange, and onboarding assistance.
Role-Based Access Control
Three-tier model: Platform Admin (BITS), Subscriber (team owner & members), Client viewer. Each entity is tenant-isolated at the database level via Supabase row-level security — no cross-tenant access is possible.
Audit Logs
Full audit trail of entity changes, user actions, and access events available in the admin console on Enterprise plans. Retention: 12 months. Export available on request or via the API.
A Data Processing Agreement (DPA) / Auftragsverarbeitungsvertrag (AVV) per Art. 28 GDPR is available for all paying customers. It covers all sub-processors listed above and includes EU Standard Contractual Clauses (SCCs) for sub-processors in third countries (Clerk, Anthropic).
Request it by emailing legal@sentiqore.com with your company name, registered address, and jurisdiction.
Typical turnaround: 2 business days.
Found a vulnerability? Email security@sentiqore.com with a description, reproduction steps, and potential impact. We commit to acknowledging within 24 hours and providing a resolution timeline within 72 hours. We do not pursue legal action against good-faith security researchers acting within scope.
SentiQore is a product of BITS Blackrock IT Solutions LLC · Privacy Policy · Terms of Service
Last updated: June 2026