Security

Plain-language security.

We're a small team building a multi-tenant SaaS. Below is what we have today, what's on the way, and what we don't have yet. The legal version lives in our DPA.

What we have today

The fundamentals, no theatre.

  • Tenant isolation

    Each workspace's data is isolated at the database layer. No customer ever sees another customer's IRIs. Authorization is re-checked at the API layer on every read.

  • GDPR posture

    EU-incorporated. EU sub-processors where possible. DPA available on request. Standard Contractual Clauses cover any non-EU data flows.

  • Disclosure

    Email security@semlify.com with what you found. We answer within one business day.

On the way

What we're working toward.

No committed dates. We'll publish each one when it's live, not before.

  • SOC 2 Type I — in scoping with our auditor
  • First third-party penetration test
  • SSO (SAML) for Business tier
  • Audit log export over the API

Not yet

What we don't have yet.

If procurement requires any of these, tell us — we'll be honest about the timeline and you can decide whether to wait.

  • We don't have a SOC 2 letter yet.
  • We don't have a published pentest report yet.
  • We don't have SSO yet.
  • We don't have a bug-bounty program yet.

Questions about our posture?

Email security@semlify.com. We answer within a business day.

Email security Read the SLA