Security & Compliance
Why this document? You might ask, "If Shield has no SOC 2, how do we know it's secure?" This paper answers that question. We walk through the controls that keep customer data safe — leveraging certified vendors ("Secure by Association") and Shield's own technical safeguards.
1. Our security mindset
- Least-privilege by default. We grant the minimum access needed and review it quarterly.
- Defense in depth. Multiple layers — encryption, network isolation, monitoring — protect data even if one layer fails.
- Plain-English transparency. We keep jargon to a minimum so security and business teams can both assess risk quickly.
2. Secure by Association
| Vendor | Role | Certifications we inherit | Region | Notes |
|---|---|---|---|---|
| DigitalOcean | Primary hosting (App + DB) | ISO 27001, SOC 1/2 Type II | FRA1 (Frankfurt), AMS3 (Amsterdam) | Customer VPC; no shared DB instances. |
| PostHog EU Cloud | Product & feature analytics | ISO 27001 | DigitalOcean FRA (Frankfurt) | Strict EU data residency. |
| Google Workspace | Email, documents, incident chat bridge | ISO 27001, SOC 2 Type II | US under EU–US DPF | Metadata only; no production data. |
We verify each vendor's certificates annually.
3. Architecture & data residency
- Two EU regions — FRA1 & AMS3 — run in active-active mode; traffic is routed via Cloudflare Regional Edge inside the EEA.
- Production and staging live in separate VPCs; no public inbound ports — only HTTPS via Cloudflare tunnels.
- Databases (PostgreSQL) use row-level tenancy (organization ID) + at-rest encryption (AES-256).
4. Core security controls
4.1 Encryption
- In transit: TLS 1.2+ everywhere; HSTS enforced.
- At rest: DigitalOcean-managed volume encryption + application-level encryption for secrets (AES-256-GCM).
4.2 Access control
- SSO with Google Cloud Identity & Auth0; mandatory MFA for all Shield staff.
- Follows The Principle of Least Privilege (PoLP).
- IP whitelisting and Dedicated VPN access with MFA.
4.3 Secure development
- CI/CD pipeline runs Dependabot.
- Github Copilot code review.
- Four-eyes code review.
- Secrets scanning blocks commits.
4.4 Monitoring & logging
- System logs, metrics, and traces; logs retained 30 days.
- Critical alerts page an on-call engineer 24/7.
4.5 Backups & disaster recovery
- Encrypted snapshots every 6 hours; stored cross-region.
- RPO < 24 h, RTO < 4 h.
- Backups rotated after 30 days.
5. Privacy-preserving analytics
PostHog EU Cloud: self-hosted instance inside DigitalOcean FRA; cookie IDs are hashed; IPs anonymized.
6. Incident response
- Detect – alerts trigger rapid incident response.
- Eradicate & recover – patch, restore, verify.
- Notify – customers + regulators within 24 hours if personal data is affected.
- Learn – post-mortem within 5 days, corrective actions tracked.
7. Sub-processor governance
- Live Public Sub-processor list.
- We maintain a live sub-processor list on our Legal page, including purpose, location, and security certifications.
- All sub-processors sign data-processing terms meeting or exceeding our own DPA obligations.
- We give customers 30 days' notice before we add any new sub-processor that will access customer personal or production data. Tools used only for Shield's internal business operations (e.g., CRM, design suites) are excluded.
8. Compliance mapping (quick-glance)
| Requirement | How we meet it |
|---|---|
| GDPR Art. 32 (Security of processing) | Encryption, access control, backups, testing. |
| GDPR Art. 28 (Processor obligations) | Self-serve DPA, sub-processor notice, audit. |
| EU–US DPF | Applies to Google Workspace metadata only. |
| ISO 27001 / SOC 2 | Covered via DigitalOcean & Google certifications. |
9. FAQ highlights
Do you have SOC 2?
Not yet. We rely on vendor certifications listed above and our own controls; SOC 2 is on the radar but not scheduled.
Is production data ever outside the EU?
Prompts for the Shield AI Agent (included in new trials) are processed by OpenAI and Anthropic in the US under the EU–US DPF (or SCCs if that framework becomes unavailable). Apart from those prompts and Google-Workspace metadata, no production data leaves the EU.
Can we run a penetration test?
Yes — contact security@shieldapp.ai; we require scope approval 5 days in advance.
10. Contact
Questions? Email security@shieldapp.ai.