Trust
The product must not be the weak link that creates liability for its customers.
DeckIR is not a regulated entity, but it operates at the intersection of Reg FD, SEC cybersecurity disclosure, ADA Title III, WCAG 2.1 AA, and eight US state privacy laws. Our compliance posture is public.
Frameworks
Compliance posture
SOC 2 Type I
On roadmapObservation window begins Phase 1 of the product build. Evidence collection is continuous via Drata from day one.
Target Q4 2026
SOC 2 Type II
On roadmapReport issued by a named auditor. Provided to prospects under NDA. Annual renewal on the published cadence.
Target Q3 2027
WCAG 2.1 AA
ActiveEvery customer portal scanned on deploy via axe-core. Failures block deploy. Monthly external audit on the live multi-tenant app.
Regulation Fair Disclosure (17 CFR 243)
ActiveDual-approval workflow on every material disclosure. Auditable log of who posted, when, and to which channels simultaneously. Customers can produce this log under subpoena.
SEC Cybersecurity Disclosure Rule (2023)
ActiveIncident response plan with 4-hour escalation to customer General Counsel on confirmed incidents. Quarterly attestations of cybersecurity posture.
US state privacy laws
ActiveCCPA, CPRA, Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and incoming laws. Consent banner, opt-out, do-not-sell, and data subject access request tooling built in.
GDPR
On roadmapData residency in EU / UK AWS regions available on the Enterprise tier. DPA with standard contractual clauses on request.
Available at Enterprise
ISO 27001
On roadmapInitiated when the first EU enterprise customer requires it. Gap assessment scheduled for Q2 2028.
Target 2028
Controls
Security program
Posture is continuous, not annual. Evidence is collected automatically; access is reviewed quarterly; drills are scheduled.
Encryption
TLS 1.3 in transit. AES-256 at rest. Enterprise customers can bring their own KMS keys.
Identity
SSO / SAML at Enterprise across Okta, Azure AD, Google Workspace, and Auth0. 2FA mandatory for every admin user.
Access control
Role-based access with principle of least privilege. Access reviewed quarterly. Offboarding automated.
Testing
Annual third-party penetration test. Report excerpt shared with Enterprise customers under NDA. Vulnerability disclosure program from day one.
Isolation
Row-level tenancy with tenant_id enforced at the ORM layer. Cross-tenant access tests run in CI. Schema-per-tenant option at Enterprise.
Backups
Point-in-time recovery with 30-day retention. Quarterly restore drills. Customer data cryptographically shredded within 90 days of deletion request.
Incident response
Clear clock. Clear comms.
01. Detection
Automated monitoring pages the on-call engineer within 5 minutes of any SLO violation or security signal.
02. Triage
On-call assesses severity (Sev 0 through Sev 3) within 15 minutes.
03. Escalation
Sev 0 and Sev 1 escalate to CTO, then to founder, within 30 minutes. Impacted customers notified within 4 hours.
04. Communication
Status page updated within 30 minutes. Customer-facing post-mortem published within 5 business days.
05. Retrospective
Blameless retrospective within 10 business days. Action items tracked to completion in the engineering backlog.
Subprocessors
Who we share data with, and why
Subprocessor list is maintained publicly. Customers are notified 30 days before any change.
| Subprocessor | Purpose | Data region |
|---|---|---|
| Amazon Web Services | Hosting, storage, email (SES) | us-east-1 (EU at Enterprise) |
| Polygon.io | Market data feed | United States |
| Stripe | Billing and invoicing | United States |
| Drata | Continuous compliance evidence | United States |
| Sentry | Observability and error tracking | United States |
| Zoom Events | Webcast hosting (optional module) | United States |
Reporting a vulnerability
We operate a vulnerability disclosure program from day one. Send reports to security@deckir.com or PGP-encrypted to the key published at /.well-known/security.txt. We acknowledge within one business day.