Security & Compliance

1. Security Governance

At Assay, security is not an add-on; it is the fundamental infrastructure upon which "Commercial Truth" is built. Our security program is modeled after the NIST Cybersecurity Framework and maintained by a dedicated team of security professionals. We operate under a continuous improvement lifecycle aimed at achieving and maintaining SOC2 Type 2 and ISO 27001 certifications.

2. Infrastructure Isolation

2.1 Logical Air Gap

Assay leverages a multi-tenant architecture designed for maximum isolation. Every customer tenant’s Truth Graph is logically partitioned at the database layer. Cross-tenant data access is architecturally impossible through our unified access control layer.

2.2 Trusted Cloud Partners

Our platform is hosted on globally distributed, Tier-1 cloud infrastructure providers (AWS, Google Cloud, Railway, Vercel). These providers are audited against SOC 1/2/3, ISO 27001, FedRAMP, and HIPAA standards.

3. Technical Safeguards

3.1 Encryption Standards

In Transit: All data transmitted between user clients and Assay servers, or between internal services, is encrypted using TLS 1.3 with high-strength cipher suites.

At Rest: All customer data, backups, and logs are encrypted using AES-256 with managed key rotation via FIPS 140-2 validated Hardware Security Modules (HSMs).

3.2 Identity & Access

We enforce Single Sign-On (SSO) and Multi-Factor Authentication (MFA) across our entire tech stack. Access to production environments is restricted to the absolute minimum necessary personnel via Just-In-Time (JIT) provisioning and strictly audited service accounts.

4. Application Security

Assay follows a Secure Software Development Lifecycle (SSDLC). This includes:

• Automated Scanning: Continuous SAST, DAST, and SCA scanning of our codebase and dependencies.
• Peer Review: 100% of code changes require review by at least one other engineer with a security focus.
• Penetration Testing: We conduct annual, deep-dive third-party penetration tests to identify and remediate vulnerabilities before they can be exploited.

5. Operational Security

All Assay employees and contractors undergo mandatory background checks. We enforce a mobile device management (MDM) policy that requires full-disk encryption, automated patching, and remote wipe capabilities for all company assets. Annual security awareness training is mandatory for all personnel.

6. Incident Response and Resiliency

Assay maintains a 24/7/365 Incident Response team. In the event of a verified data breach impacting Customer Data, Assay will notify affected customers without undue delay and within 72 hours of verification. We maintain cold and hot standby backups spanning multiple geographic regions to ensure business continuity and data durability.