Security & Compliance
Compliance and Security
Last updated: 2026-04-30
Our Commitment
CloudSealed is committed to maintaining the highest standards of security and compliance. We implement technical and organizational measures to protect your data throughout the entire analysis cycle. Our security practices are designed to align with SOC 2 Type II (certification in progress), LGPD (Brazil), CCPA (California), and industry best practices for software engineering.
Regulatory Frameworks
Our practices are designed to align with the following regulatory frameworks and standards:
LGPD (General Data Protection Law)
Designed to align with Brazil's data protection law, including legal basis for processing, data subject rights, DPO appointment, and ANPD reporting procedures.
CCPA / US Privacy Laws
Designed to align with the California Consumer Privacy Act and emerging state privacy laws. No sale of personal information. Transparent data practices.
SOC 2 Type II
Our infrastructure and processes are designed to align with the SOC 2 Trust Services Criteria for security, availability, and confidentiality. SOC 2 Type II certification is currently in progress.
Google Ads Policy Compliance
Full compliance with Google Advertising Policies, including transparent business practices, accurate claims, and proper data collection disclosures.
Security Measures
Encryption at Rest and in Transit
All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Database connections use SSL. File uploads are encrypted in Google Cloud Storage.
Access Control
Role-based access control (RBAC) with the principle of least privilege. Multi-factor authentication for analyst accounts. Auto-expiring session tokens.
Audit Logging
Comprehensive audit trail for all access, modifications, and administrative actions. Logs are immutable and retained for 5 years.
Vulnerability Management
Regular security assessments, dependency scanning, and penetration testing. Responsible disclosure program for security researchers.
Personnel Security
Background checks for all specialists with access to client data. Mandatory corporate security awareness training. Non-disclosure agreements (NDAs).
Infrastructure Security
Hosted on Google Cloud Platform with SOC 2 certified data centers. Network segmentation, firewall rules, and DDoS protection. Regular backups and disaster recovery testing.
Data Processing
Client data is processed exclusively to deliver cloud audit reports and related services. We do not use client data to train AI models, for marketing, or for any purpose beyond the scope of the agreed service. Data is logically isolated per client. We implement data minimization principles—collecting and processing only what is strictly necessary for technical analysis.
Incident Response
We maintain a documented incident response plan that includes identification, containment, eradication, recovery, and post-incident review. In the event of a data breach, we will notify affected users within 72 hours and report to relevant authorities (ANPD for Brazilian users) as required by law. Security incidents can be reported to contact@cloudsealed.com.
Vendor Management
All third-party service providers are evaluated for security and compliance prior to engagement. We maintain Data Processing Agreements (DPAs) with all sub-processors. Our primary sub-processors include Google Cloud Platform (infrastructure), SendGrid (email delivery), and Vercel (edge deployment). A full list of sub-processors is available upon request.
Security Contact
For security issues, vulnerability reports, or compliance inquiries:
- 📧 contact@cloudsealed.com