Last Updated: March 11, 2026
Security architecture, certifications, data protection measures, and trust documentation for enterprise procurement teams and security reviewers.
ðŸ”
AES-256
Encryption at rest
🔒
TLS 1.3
Encryption in transit
✅
SOC 2 Type II
Infrastructure
✅
SOC 2 Type II
Database
Dr. Carlo Honrado deploys on Amazon Web Services, which is SOC 2 Type II certified. Dr. Carlo Honrado corporate SOC 2 Type II audit: in preparation, target Q4 2026.
Gap assessment complete. Remediation in progress. Target certification: Q1 2027.
ISO 42001 is the AI-specific management systems standard. Gap assessment scheduled for Q3 2026.
Business Associate Agreements are available for covered entities and business associates requiring HIPAA compliance. Contact us to initiate BAA execution before deploying Foresight in a HIPAA-covered environment.
Foresight includes a validation documentation package (URS, FRS, IQ/OQ/PQ templates, 21 CFR Part 11 compliance matrix, audit rights SLA). Dr. Carlo Honrado supports Computer Software Assurance (CSA) processes. Client validation execution is the client's responsibility.
EU AI Act high-risk provisions effective August 2, 2026. Technical documentation in preparation. Foresight identified as requiring full high-risk compliance assessment. Other products assessed as Limited Risk. Enterprise customers requiring EU AI Act documentation contact us.
GDPR-compliant Data Processing Addendum (DPA) available with Standard Contractual Clauses (SCCs) for international data transfers. See /legal/dpa.
Privacy Policy updated March 2026 to include California Consumer Rights section, Notice at Collection on all forms, and Do Not Sell/Share mechanism.
Cloud provider
Amazon Web Services — ECS Fargate, RDS PostgreSQL, S3, CloudFront
Primary region
United States (us-west-2)
Data residency
United States (default). EU data residency available for enterprise customers — contact us.
Encryption at rest
AES-256 for all data at rest in AWS RDS PostgreSQL and S3
Encryption in transit
TLS 1.3 for all connections. HSTS enforced.
Token encryption
AES-256-GCM with unique IV per token (OAuth access tokens for LinkedIn and Gmail)
Database isolation
Per-tenant row-level security and environment isolation. Admin and user data strictly separated.
Access control
Role-based access control (RBAC). Multi-factor authentication required for all admin access. Principle of least privilege enforced.
Backup frequency
Automated daily database backups with point-in-time recovery (AWS RDS Multi-AZ)
Uptime target
Website: 99.9% (AWS SLA). Enterprise product SLAs defined in Order Forms.
CDN / DDoS protection
AWS CloudFront with built-in DDoS mitigation
Rate limiting
Applied to all public API endpoints. Configurable per-customer for enterprise deployments.
Application Security
Access Management
Monitoring & Incident Response
Development Practices
Dr. Carlo Honrado welcomes responsible disclosure of security vulnerabilities. We are committed to working with the security research community to identify and address security issues promptly.
In Scope
Out of Scope
Safe Harbor
Dr. Carlo Honrado will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, provided they: (1) do not access or modify data beyond what is necessary to demonstrate the vulnerability; (2) do not exploit the vulnerability for malicious purposes; (3) report promptly and maintain confidentiality until remediated; and (4) do not engage in denial of service, phishing, or social engineering.
How to Report
Email:
Subject line: "Security Vulnerability Report"
Include: Description of the vulnerability, steps to reproduce, potential impact, and your contact information
Encryption: For sensitive reports, request our PGP key before submission
Response Commitments
In the event of a security incident affecting personal data, Dr. Carlo Honrado commits to:
Enterprise customers may request our Incident Response Plan (IRP) document under NDA. Contact with subject line "IRP Documentation Request."
General security inquiries: — subject: "Security Inquiry"
Vulnerability reports: — subject: "Security Vulnerability Report"
Data breach notification: — subject: "Security Incident"
DPA / HIPAA BAA requests: — subject: "DPA Request" or "BAA Request"
SOC 2 report (under NDA): Available Q4 2026 — register interest at — subject: "SOC 2 Report Request"