Skip to content

Security

Last updated: May 1, 2026.

Hosting and encryption

  • Production runs entirely within the EU.
  • TLS protects data in transit.
  • Databases, object storage, and secrets use managed encryption at rest, with managed keys where configured.

Access control

  • Deployments use short-lived, federated credentials — no static cloud keys.
  • Access roles are scoped per service and environment, following least privilege.
  • Admin access requires authenticated accounts and will require MFA for production operations.

Vulnerability disclosure

Report security issues to security@impersona.io. The machine-readable policy is published at /.well-known/security.txt. A PGP key will be added before production launch.

Compliance & frameworks

Impersona.io maps to the threat-intelligence and monitoring controls in four common frameworks:

  • ISO 27001:2022 A.5.7 — Threat intelligence collection. Lookalike domain monitoring and external threat feeds satisfy this control.
  • NIST CSF 2.0 ID.RA-02 — Cyber threat intelligence from information-sharing forums and sources. Certificate Transparency and domain intelligence qualify.
  • SOC 2 CC7.2 — Monitoring for anomalies indicative of malicious acts. Brand impersonation detection supports this criterion.
  • NIS2 (EU) — Article 21 risk-management measures including external attack surface. Evidence packs support compliance documentation.

GDPR data-subject rights are built in for every user. SOC 2 and ISO 27001 certifications are on the roadmap. Evidence packs, audit-log exports, and API access support compliance reporting wherever you operate.

DPA

A Data Processing Addendum template is available for review: download DPA template.