Security & Trust

Varanic is built with enterprise-grade security at every layer. We protect your counterparty data, financial analyses, and portfolio intelligence with the same rigor that institutional finance demands.

Compliance Certifications

Attested

SOC 2 Type 1

Attested by Sensiba LLP, May 2026. Attestation letter on request; full report under NDA.

Sensiba SOC 2 Type 1 attestation mark
In Progress

SOC 2 Type 2

Observation period began May 2026, immediately following our Type 1 attestation. Target report: Q3 2026 with Sensiba LLP.

"Attested" indicates an issued third-party audit report; "In Progress" indicates an active audit engagement. Technical controls described on this page are implemented in the platform today. Contact [email protected] for the latest certification status and supporting documentation.

How We Protect Your Data

Encryption

  • AES-256 server-side encryption for document storage in Amazon S3; production database resides on encrypted storage volumes managed by the cloud provider
  • TLS 1.2+ for data in transit, terminated at the Cloudflare edge in front of production
  • Field-level encryption for sensitive data on roadmap; volume-level encryption active today
  • Key rotation managed through cloud provider infrastructure; application-level rotation on roadmap
  • Encrypted backups with geographically separated storage planned for production deployment

Data Ownership & Handling

  • SEC EDGAR data sourced exclusively from public filings maintained by the SEC
  • Customer-uploaded financial data remains the sole property of the customer at all times
  • Customer data is never sold
  • Configurable data retention policies with full customer control
  • Secure and verifiable deletion of all data upon account termination

How The Platform Is Secured

Architecture & Access Control

  • Multi-tenant isolation: every database row scoped to account_id with rigorous controls to prevent cross-tenant data access
  • Role-Based Access Control (RBAC) with admin, user, and viewer roles enforcing granular permissions
  • MFA support with TOTP-based authentication and configurable device trust policies
  • Session-based authentication with secure token management and automatic expiration
  • Input validation on API endpoints; expanding sanitization coverage across all routes

API Security

  • API key authentication required for all programmatic access
  • Rate limiting on all endpoints to prevent abuse and ensure availability
  • HTTPS-only access to production; HTTP requests are redirected to HTTPS at the Cloudflare edge
  • Request validation and content-type enforcement on API calls

How We Maintain Trust

Audit Trail & Monitoring

  • Audit trail of user create, update, and delete actions with precise timestamps
  • User attribution on every action for full accountability and traceability
  • Append-only audit log storage designed to resist tampering
  • Activity monitoring dashboard; automated anomaly detection planned

Vulnerability Management

  • Third-party penetration testing scheduled for Q2 2026 prior to production launch
  • Responsible disclosure program active — report vulnerabilities to [email protected]
  • Dependency scanning integrated into the development workflow via automated tooling
  • Security incident response plan documented with severity levels, escalation paths, and notification timelines

Trust Center

Legal agreements are available below. Security policy documents are shared under NDA during the sales process — request access directly or contact [email protected].

Legal Agreements

Terms of ServicePlatform usage terms and conditions
Privacy PolicyHow we collect, use, and protect personal data
Data Processing AgreementData processing terms
Acceptable Use PolicyPlatform usage guidelines and restrictions

Compliance Reports

Available on request. Email [email protected] with your company and use case.

SOC 2 Type 1 Attestation LetterSensiba 6 May 2026Sensiba LLP confirmation of attestation issuance (no NDA required)Request Access →
SOC 2 Type 1 Full ReportSensiba 7 May 2026 — NDA requiredAuditor opinion, system description, controls, and testing detailRequest Access →

Security Resources

Available under NDA during the sales process. Request access below or contact [email protected].

Information Security PolicyVAR-ISP-001Access control, encryption, and security standardsRequest Access →
Incident Response PlanVAR-IRP-001Severity levels, response procedures, notification timelinesRequest Access →
Business Continuity PlanVAR-BCP-001Disaster recovery, RTO/RPO targets, backup strategyRequest Access →
Vendor Management PolicyVAR-VMP-001Third-party risk assessment and monitoringRequest Access →
Data Retention PolicyVAR-DRP-001Data lifecycle, retention periods, deletion proceduresRequest Access →

Have Security Questions?

Our security team is ready to discuss our practices, share documentation, or address any concerns about how we protect your data.

[email protected]

This page reflects our current security posture and commitments. Certification statuses are updated as milestones are achieved. Formal compliance policy documents are available upon request. Last updated May 2026.