Security
Last updated: May 1, 2026.
Hosting and encryption
- Production runs entirely within the EU.
- TLS protects data in transit.
- Databases, object storage, and secrets use managed encryption at rest, with managed keys where configured.
Access control
- Deployments use short-lived, federated credentials — no static cloud keys.
- Access roles are scoped per service and environment, following least privilege.
- Admin access requires authenticated accounts and will require MFA for production operations.
Vulnerability disclosure
Report security issues to security@impersona.io. The machine-readable policy is published at /.well-known/security.txt. A PGP key will be added before production launch.
Compliance & frameworks
Impersona.io maps to the threat-intelligence and monitoring controls in four common frameworks:
- ISO 27001:2022 A.5.7 — Threat intelligence collection. Lookalike domain monitoring and external threat feeds satisfy this control.
- NIST CSF 2.0 ID.RA-02 — Cyber threat intelligence from information-sharing forums and sources. Certificate Transparency and domain intelligence qualify.
- SOC 2 CC7.2 — Monitoring for anomalies indicative of malicious acts. Brand impersonation detection supports this criterion.
- NIS2 (EU) — Article 21 risk-management measures including external attack surface. Evidence packs support compliance documentation.
GDPR data-subject rights are built in for every user. SOC 2 and ISO 27001 certifications are on the roadmap. Evidence packs, audit-log exports, and API access support compliance reporting wherever you operate.
DPA
A Data Processing Addendum template is available for review: download DPA template.